India’s First Digital Privacy Law Comes into Force with New DPDP Rules
India’s First Digital Privacy Law Comes into Force with New DPDP Rules
India has officially activated its first-ever digital privacy legislation with the notification of rules under the Digital Personal Data Protection (DPDP) Act. The new regulations set out a structured framework for companies and other stakeholders to comply, giving them a period of up to 18 months to align with the administrative requirements outlined in the Act. Meanwhile, consent managers, who act on behalf of users, are granted up to 12 months to complete their registration.
The rules mandate that social media platforms, internet intermediaries, and all companies handling user data provide individuals—referred to as “data principals”—with a clear and itemized overview of the personal information being collected. They must also explicitly communicate the purpose for which this data will be used before obtaining consent.
Users are now empowered with greater control over their personal data. They can withdraw consent for data processing at any time and have the right to lodge complaints with the Data Protection Board (DPB) if they believe their rights have been violated.
For companies or individuals to operate as consent managers, they must register with the DPB and satisfy the conditions specified by the Board. Consent managers are required to maintain compliance at all times, with the DPB authorized to suspend the registration of any manager failing to meet these obligations.
The DPB itself will function fully digitally and will be headquartered in New Delhi. It will consist of four members, including a Chairperson, overseeing enforcement and compliance matters.
The rules also introduce classifications for digital intermediaries depending on the type of services they provide. Each category has a distinct timeline for deleting users’ personal data unless retention is legally required.
In the event of a data breach, the data fiduciary is required to notify both the user and the DPB within 72 hours of discovering the breach. The notification must include details of the breach, such as its nature, extent, timing, consequences, and the measures being taken to mitigate risks. Additionally, users must be informed about steps they can take to safeguard themselves.
