Centre Notifies India’s First Personal Data Protection Rules

The government has officially notified the rules for the Digital Personal Data Protection (DPDP) Act, India’s first dedicated law governing the processing of personal data. Passed in August 2023, the Act’s newly released rules closely follow the earlier draft with no major changes, according to MeitY Secretary S. Krishnan. While some provisions take effect immediately, key obligations—such as consent manager registration and data processing notices—will be phased in over 12–18 months.

The rules outline strict safeguards for children’s data, including restrictions on processing by healthcare professionals and educational institutions. Social media intermediaries with over two crore Indian users face additional limits, particularly on access to accounts and virtual tokens stored on platforms. Government provisions allow withholding certain data disclosures if they threaten national security or the integrity of the state.

Data Fiduciaries are mandated to store user data for at least three years and must notify affected individuals promptly in case of a data breach. They must also inform the Data Protection Board within 72 hours of becoming aware of the breach. Notifications to users must clearly specify the nature and extent of the breach, potential consequences, and mitigation measures being taken.

Pic Courtesy: google/ images are subject to copyright