Fri Jan 03 16:54:46 UTC 2025: ## India Releases Draft Digital Data Protection Rules

**New Delhi, January 3, 2025** – The Indian government unveiled draft rules for the Digital Personal Data Protection (DPDP) Act, 2023, opening a public consultation period until February 18. These rules, over a year in development, detail how the Act will be enforced, outlining responsibilities for data fiduciaries (entities collecting data) and providing protections for data principals (users).

Key provisions in the draft rules include:

* **Data Collection Notices:** Data fiduciaries must clearly inform users what data is collected, why, and how it will be used, enabling informed consent.
* **Consent Managers:** The rules establish a system for registering consent managers who will assist in obtaining user consent.
* **Government Data Collection:** The government can collect data for subsidies and benefits, and for statistical purposes, subject to specified standards.
* **Data Security and Breach Notification:** Data fiduciaries must implement security measures to prevent breaches and notify the Data Protection Board of India (DPBI) within 72 hours of any breach. The DPBI is yet to be established.
* **Data Deletion:** Data must be deleted after 48 hours’ notice for users who have not engaged with e-commerce, social media, or online gaming services for an extended period.
* **Data Protection Officer:** Data fiduciaries must publicly display contact information for their data protection officer.
* **Data Protection Impact Assessments:** Significant data fiduciaries must conduct regular assessments and audits.
* **Children’s Data:** Verifiable parental consent is required before processing a child’s personal data.
* **International Data Transfers:** The government will specify requirements for processing Indian data abroad in future orders.

The Ministry of Electronics and Information Technology (MeitY) will hold all submitted feedback confidentially. Stakeholders are encouraged to provide input via the MyGov portal.

Read More