Data Protection Rules Draft for Protecting Online Privacy, Open for Public Consultation in India

• The government announced that it would release a data protection draft in India for the public to comment on.
• The draft was created under the Digital Personal Data Protection Act of 2023 and concerns data privacy and corporate accountability.
• There are 22 points in the document, which include fiduciary transparency, security measures, breach notifications, and more.

India has taken a significant step forward in its data protection regime by releasing draft rules under the Digital Personal Data Protection (DPDP) Act, 2023, for public consultation. The draft rules outline 22 key points designed to govern the handling of personal data by entities operating within India. 

A phased rollout approach has been proposed, beginning with immediately implementing rules governing the Data Protection Board (Rules 16–20), including its composition and responsibilities. 

Other provisions, such as requirements on notice, consent management, and regulations around government access to data, are planned for subsequent enforcement stages.

Among these are transparency in data fiduciary obligations, consent withdrawal and user rights management, security measures like encryption, pseudonymization, and masking, data breach notifications, parental consent for processing data of minors, and cross-border data transfers in government-specified conditions.

There were also proposed exemptions for research and statistical purposes, embedding data protection principles into fiduciary systems and categorizing entities that process large volumes or sensitive personal data as "Significant Data Fiduciaries." 

Published by the Ministry of Electronics and Information Technology (MeitY) on Friday, these draft regulations are open for feedback until February 18, representing a key milestone in the country’s decade-long pursuit of comprehensive data protection legislation.

The road to the DPDP Act, 2023, began in 2011 when establishing a privacy law was recommended. Over the years, the vision for a structured data protection framework underwent several revisions, public debates, and legislative iterations before the law's notification in August 2023. 

This draft now bridges the gap between policy and practical implementation, setting the stage for India's digital transformation. Recently, app stores in India lost tens of VPN apps due to the country's stringent 2022 VPN regulatory framework.