The Ministry of Electronics and Information Technology (MeitY) on Friday notified India’s data protection rules, marking a major step toward implementing a functional privacy regime, eight years after the Supreme Court recognised privacy as a fundamental right.
The rules arrived more than two years after the Digital Personal Data Protection Act received presidential assent in August 2023.
Although the law has now formally come into effect, only selective provisions are operative. Several key protections for users will be rolled out gradually over the next 12 to 18 months.
The government has also announced that the newly constituted Data Protection Board will have four members and be headquartered in New Delhi. A draft of these rules had been released earlier this year for public feedback.
Under the Digital Personal Data Protection Rules, 2025, the Centre will determine which categories of personal data may be processed by “significant data fiduciaries,” with the condition that such data, as well as traffic data associated with it, cannot be transferred outside India.
A government-appointed committee will define this category. Organisations may be designated as significant data fiduciaries based on the sensitivity and volume of data they handle, and the potential risks posed to national security, public order, electoral processes, or the country’s sovereignty.
Tech giants such as Meta, Google, Apple, Microsoft, and Amazon are expected to fall under this classification.
The rules place specific obligations on companies dealing with children’s data, requiring them to create a system for obtaining “verifiable” parental consent.
Notably, the government has refrained from mandating a particular method, leaving platforms to devise their own mechanisms, a demand social media firms had pushed for, citing practical difficulties.
In the event of a data breach, companies must inform affected users “without delay,” detailing the nature and extent of the breach, when and where it occurred, potential consequences for the user, and the steps being taken to mitigate the risks. Failure to implement adequate safeguards could attract penalties of up to ₹250 crore.
Even before the rules were notified, the Data Protection Act had drawn criticism for granting sweeping exemptions to government agencies on grounds such as national security, public order, and diplomatic considerations. Civil society groups and privacy advocates have also raised concerns that the law weakens the Right to Information (RTI) framework.
The new rules require all data fiduciaries, public or private, to put in place “reasonable security measures” to protect personal data. These include encryption, access controls, systems to detect unauthorised access, and regular data backups. Firms must also provide users with clear, standalone notices before processing their data.
These notices must specify the exact data being collected, the purpose of processing, and an itemised explanation of the services or benefits enabled through the use of such data.
However, it has drawn sharp criticism from digital rights advocates, civil society groups, legal experts, and industry stakeholders. Much of the backlash stems from issues flagged during the public consultation on the draft rules released in January and persists in the final version, which made minimal changes.
Critics argue the rules fail to address core flaws in the parent Act, potentially prioritising government control over individual privacy.
Section 36 of the Data Protection Act, read with Rule 22 of the Draft Rules, provides the Union government, through the corresponding authorised person, the power to demand “any” information from a data fiduciary or an intermediary for the purposes listed in the Seventh Schedule, according to the Internet Freedom Foundation.
“There is a huge potential for the Union government to misuse this power and call for personal data for surveillance, policing, stifling dissent and furthering the agendas of the ruling parties/government,” they said.
Earlier, Anjali Bhardwaj, an Indian social activist and co-convenor of the National Campaign for People’s Right to Information (NCPRI), has sharply criticised the Digital Personal Data Protection (DPDP) Act.
She warned that the law poses a “grave danger” to journalism, noting that it offers no exemptions for the collection, processing, or dissemination of personal data for journalistic work. According to her, the penalties could have a severe chilling effect on press freedom.
Bhardwaj also alleged that the Act amends the RTI law in ways that weaken transparency and places excessive power in the hands of the central government, especially since the government will appoint the oversight body empowered to levy these large penalties.
The post Govt notifies data protection rules, paving way for India’s first privacy law amid criticism appeared first on Maktoob media.
