Daijiworld Media Network – New Delhi

New Delhi, Nov 15: India has officially moved closer to a full-fledged privacy regime with the Union Ministry of Electronics and IT (MeitY) on Friday notifying the long-awaited data protection rules, nearly eight years after the Supreme Court declared privacy a fundamental right. The rules follow more than two years after the Digital Personal Data Protection Act (DPDP Act) received Presidential assent in August 2023.

Even though the law is now operational, several crucial citizen protections will take another twelve to eighteen months to come into force. Provisions such as mandatory informed consent before data processing, limiting data use to legitimate purposes, and compulsory breach notifications to users will be implemented only after 18 months.

At present, the Data Protection Board of India (DPB) — the adjudicatory body responsible for enforcing compliance — has become functional. A contentious amendment to the Right to Information (RTI) Act, which restricts disclosure of personal information of public officials even when larger public interest is involved, has also been enforced. The government has notified that the DPB will have four members and will be headquartered in New Delhi.

As per the DPDP Rules, 2025, the Centre will specify categories of personal data that can be processed by “significant data fiduciaries”, with a strict requirement that such data cannot be transferred outside India. A government-appointed committee will determine these categories, effectively enforcing data localisation — a clause the tech industry has previously opposed.

Industry bodies, including Nasscom and the Data Security Council of India, said they recognise the need for mechanisms that support interoperability and ease cooperation with India’s international partners. Major global firms such as Meta, Google, Apple, Microsoft and Amazon are expected to fall under the category of significant data fiduciaries, identified on the basis of the volume and sensitivity of user data handled and the potential risks to national security, sovereignty, electoral processes and public order.

Tech companies will now have to create a system for obtaining “verifiable” parental consent before processing the data of children. The government has avoided prescribing a uniform method after companies expressed concerns about feasibility. Experts note that while behavioural tracking and targeted advertising to children remain restricted, limited personalisation aimed at preventing harmful content is allowed.

In the case of a data breach, entities must promptly inform affected individuals about the nature, extent, timing and location of the breach, potential consequences, and steps being taken to mitigate risks. Penalties for failing to maintain adequate safeguards could touch Rs 250 crore.

The DPDP Act had earlier attracted criticism for granting broad exemptions to government agencies on grounds such as national security, relations with foreign states and public order. Concerns were also raised about dilution of the RTI Act, including by NITI Aayog.

The new rules mandate clear, standalone notices for users before data is processed, specifying exactly what personal data is collected and why. Data fiduciaries must also ensure robust security protocols — including encryption, access controls, breach monitoring and data backups — to safeguard user information.