Why in News?
- Government notified the Digital Personal Data Protection (DPDP) Rules, 2025 on 14 November 2025, operationalising major parts of the DPDP Act, 2023.
- Notification triggers:
- Formation of Data Protection Board of India (DPBI).
- Implementation of consent framework, data processing norms, and compliance timelines.
- Controversy: Amendment to Section 8(1)(j) of RTI Act, 2005 officially comes into force, sparking protests from transparency activists (MKSS, NCPRI).
Relevance
GS 2 – Polity & Governance
- DPDP Act, 2023 + DPDP Rules, 2025 implementation.
- Privacy vs transparency debate (RTI Act Section 8(1)(j) amendment).
- Data Protection Board of India (DPBI): powers & limitations.
- State–citizen interface: consent, data processing, grievance redressal.
GS 3 – Cybersecurity
- Data breach reporting norms, digital governance challenges.
- Rights of minors online; digital ecosystems.
DPDP Act, 2023
Purpose
- India’s first comprehensive data protection law—parallel to GDPR (EU) and PDPA (Singapore).
Key Concepts
- Data Fiduciary: Entity (firm/state) processing personal data.
- Data Principal: Individual whose data is processed.
- Significant Data Fiduciary (SDF): Large firms with higher compliance obligations.
Core Obligations on Fiduciaries
- Security safeguards: Encryption, access control, security audits.
- Purpose limitation: Data collected only for specific, lawful purposes.
- Storage limitation: Delete data after purpose is fulfilled or inactivity.
- Breach notification: Report as soon as possible.
Rights of Data Principals
- Informed consent backed by clear summaries.
- Right to access data.
- Right to correction, erasure, deletion.
- Right to grievance redressal.
- Right to withdraw consent.
Children’s Data
- Restrictions on data processing and targeted ads.
- Rules carve out parental access to child’s location.
DPDP Rules, 2025 – What They Add
- Operational details for consent notices, breach reporting, storage deletion.
- Consent Manager Ecosystem:
- Users manage data permissions across platforms via a single interface.
- Comparable to OS-level permissions managers.
- Data Protection Officer (DPO) requirement for SDFs becomes enforceable in 1 year.
- Compliance timelines: Firms get up to 18 months.
- Penalties:
- ₹10,000 to ₹250 crore depending on severity and repeated non-compliance.
Institutional Mechanism
Data Protection Board of India (DPBI)
- Now operational.
- Under MeitY, with four members.
- Functions:
- Inquiry into breaches.
- Adjudication of penalties.
- Oversight and compliance.
Major Controversy: RTI Act Amendment
What changed?
- Section 8(1)(j) earlier exempted “personal information” unless public interest justified disclosure.
- DPDP Act removed the public interest override.
- Now govt bodies can reject requests more broadly.
Why activists oppose it?
- Eliminates a critical transparency safeguard.
- Potential consequences:
- Social audits (ration rolls, muster rolls, work logs) risk being classified as private.
- Shields officials from scrutiny in corruption cases.
- Undermines MKSS-led accountability campaigns.
- MKSS and NCPRI protested since 2022 draft; vowed to challenge implications.
Government stance
- Amendment notified despite resistance.
- Another amendment to IT Act, 2000 still pending.
Wider Governance Issues
- Increased government discretion in defining “personal information”.
- Risk of over-classification by officials.
- Debate on balancing:
- Privacy rights
- Transparency and public interest
- Accountability in public expenditure
Comparison with GDPR
- Similarities: Consent, data minimisation, erasure rights, fiduciary obligations.
- Differences:
- No data localisation mandate.
- No explicit independent regulator (DPBI under MeitY).
- Broader govt exemptions.
- Narrower scope of “sensitive personal data”.
Status of Implementation
- In force now:
- DPBI formation
- RTI amendment
- Consent Manager framework (initialisation)
- To be enforced within 18 months:
- Firm-level compliance
- DPO appointment
- Full breach reporting norms
