DECODING THE DRAFT
Let’s talk about something that affects all of us—our personal data. With the world becoming increasingly digital, our personal information is more valuable than ever before. Think about it: from online shopping to social media and government services, our data is everywhere. But how safe is it? How is it being used? The Indian government has taken a step forward with the Digital Personal Data Protection Rules, 2025 (drafted under the Digital Personal Data Protection Act, 2023) to address these concerns. Let me walk you through what this draft means in simple terms.
First, let’s get on the same page about why personal data protection is so important. Every time you share your name, phone number, or bank details online, there’s a risk it could be misused. From annoying spam calls to serious data breaches, the misuse of personal data has become a pressing issue. This draft aims to safeguard your data and ensure it’s used responsibly.
Here’s the core idea: the draft introduces two main roles—data principals (that’s you) and data fiduciaries (companies, organizations, or entities that collect and use your data).
As a data principal, you have rights over your data, like deciding who can use it, for what purpose, and even the power to withdraw your consent.
Data fiduciaries, on the other hand, have responsibilities to handle your data ethically, securely, and transparently.
This draft puts you, the data principal, in the driver’s seat. Here’s how:
- Clear and Simple Notifications: Data fiduciaries must give you clear, easy-to-understand information about why they’re collecting your data and how they’ll use it. No more hidden terms or complex legal jargon.
- Consent Is King: You must explicitly agree to how your data is being used. Plus, you can change your mind anytime—your consent is easy to withdraw.
- Rights over Your Data: You can ask for access to your data. If there’s an error, you can get it corrected. Want to delete old data? You can ask for that too. Portability? Yes, you can request a copy of your data if you’re switching to another service.
- Protection for Children’s Data: If you’re a parent, the rules offer extra safeguards for your child’s personal information. Companies must get your consent before processing their data.
Now, let’s talk about what the data fiduciaries (think companies, banks, apps, etc.) are required to do under this draft:
- Transparency and Security: They must handle your data securely and tell you upfront about how it’s being used. If a data breach occurs, they must inform you and take corrective actions.
- Strict Data Retention Policies: Your data can’t be stored forever. Once the purpose of collecting your data is fulfilled, it must be deleted.
- Children’s Data Protection: Extra measures are required when dealing with children’s data, including verifying parental consent.
- Audit and Accountability: Fiduciaries must conduct regular audits and impact assessments to ensure they’re following the rules.
Now, here’s an interesting point: not all your data can leave India. Sensitive personal data (think your financial or health information) can only be sent outside India if the government allows it. This ensures that your data doesn’t end up in places with weak privacy protections.
Let’s say your data rights are violated. What happens next? The draft establishes a Data Protection Board to address such grievances. You can file complaints digitally, and the board will investigate and ensure justice. If you’re still unhappy, you can appeal to a specialized tribunal.
To ensure these rules aren’t just on paper, the draft includes penalties for violations. Data fiduciaries can face strict action, including fines, for failing to protect your data or misusing it.
This draft isn’t just about protecting individuals—it also lays down clear rules for businesses. Companies must adopt data-friendly practices, invest in secure systems, and be prepared for audits. While this might increase costs in the short term, it builds trust and ensures long-term growth.
Here’s the exciting part—you have a say in shaping these rules! The government has invited public suggestions on the draft until February 18, 2025, via the MyGov website. If you have concerns, questions, or ideas, now’s the time to speak up.
The Digital Personal Data Protection Rules, 2025, are a much-needed step towards safeguarding our digital lives. In an era where data is the new oil, these rules empower you to take control of your personal information. They also encourage businesses to adopt ethical data practices, creating a win-win situation for everyone.
Data privacy isn’t just about protecting information—it’s about protecting trust. This draft is a step in the right direction, but its success depends on proper implementation, awareness, and participation from all of us.
So, dear reader, the next time you share your personal information, remember—you now have rights, and those handling your data have responsibilities. The future of a safe digital India is in our hands. Let’s make it count!
What do you think about these new rules? Do they address your concerns? I’d love to hear your thoughts. Let’s continue this conversation and ensure our digital future is secure and empowering for everyone.
(The Author is Advocate, Supreme Court of India. Mail: [email protected])
