NEW DELHI — The draft Digital Personal Data Protection (DPDP) rules aim to
safeguard citizens’ rights for the protection of their personal data and also
address specific challenges like unauthorised commercial use of data and
digital harms, the Ministry of Electronics and Information Technology said on
Sunday.
The rules empower citizens by giving them greater control
over their data with provisions for informed consent, the right to erasure and
grievance redressal. Parents and guardians are empowered to ensure online
safety for their children, the official statement explains.
The rules are designed to empower citizens in a rapidly
growing digital economy, while achieving the right balance between regulation
and innovation, so that the benefits of India’s growing innovation ecosystem
are available to all citizens and India’s digital economy, the statement said.
The rules place citizens at the heart of the data protection
framework. Data Fiduciaries must provide clear and accessible information about
how personal data is processed, enabling informed consent, it added.
The statement highlights that India’s model strikes a unique
balance between fostering innovation and regulation to protect personal data.
Unlike restrictive global frameworks, these rules encourage economic growth
while prioritizing citizen welfare. Stakeholders view this as a new global
template for data governance.
The framework envisages lesser compliance burden for smaller
businesses and startups. An adequate period would be provided so that all
stakeholders, from small enterprises to large corporates, may transition
smoothly to achieve compliance with the new law, the statement said.
The rules embrace a “digital by design” philosophy. Consent
mechanisms, grievance redressal and the functioning of the Data Protection
Board are all aimed at ensuring Ease of Living and Ease of Doing Business. The
Board will function as a digital office, with a digital platform and app to
enable citizens to approach it digitally and to have their complaints
adjudicated without their physical presence being required, the statement
explained.
From processing complaints to interacting with Data
Fiduciaries, workflows are optimised to ensure speed and transparency. This
reflects India’s forward-looking approach to governance and builds trust
between citizens and Data Fiduciaries, the statement said.
It also highlights that graded responsibilities stipulated
in the rules cater to startups and MSMEs with lower compliance burden, while
Significant Data Fiduciaries have higher obligations. Sector-specific data
protection measures can complement the core personal data protection framework
created by the Act and the rules.
The Data Protection Board’s digital office approach would
ensure quick and transparent resolution of complaints. The Board is required to
take into consideration factors such as the nature and gravity of default,
efforts made to mitigate impact, etc., while imposing penalties for defaults.
Further, Data Fiduciaries may voluntarily give undertakings
at any stage of proceedings, which if accepted by the Board would result in
dropping of the same. This balances the need to protect the rights of citizens,
while providing a fair adjudicatory framework for those processing personal
data, the statement added.
The draft rules are based on wide ranging inputs gathered
from various stakeholders and study of global best practices. The Ministry of
Electronics and Information Technology has invited feedback/comments from the
public and stakeholders till February 18 through MyGov platform, in line with
the government’s commitment to adopt an inclusive approach to law-making.
Meanwhile, the government also plans a comprehensive
awareness campaign. These initiatives will educate citizens about their rights
and responsibilities under the new framework, fostering a culture of data
responsibility.
