India's Ministry of Electronics and Information Technology finalized the Digital Personal Data Protection Act regulations 14 Nov., ending a more than two-year wait for the implementation of the country's new data protection regime. The DPDPA was enacted by the Parliament of India August 2023, but the 22 draft rules clarifying the law's application were only published in January following an exhaustive drafting process.
Even with the rules finalized, implementation will not occur all at once. Some DPDPA rules took force with their publication in the Official Gazette, including regulations for the establishment of the four-person Data Protection Board. Rules on the registration and functioning of consent managers will apply 12 months after finalization while the remainder of the regulations will be enforced after 18 months.
Progress Software Global Data Privacy Counsel Sarib Khan, CIPP/E, CIPM, said the phased approach to implementation "gives India’s diverse ecosystem a realistic runway to build privacy governance and technical readiness."
The rules cover clarifications around requirements placed on data fiduciaries, notice requirements to data principals for obtaining consent, registration of in-house consent managers with the DPB, data breach notification requirements and obligations for processing children’s data.
The IAPP Resource Center features a series of contributed and internal analysis examining the top operational impacts of the DPDPA. Included are outlines of consent management, cross-border data transfers, DPB enforcement and more.
In September, Minister of Electronics and Information Technology Ashwini Vaishnaw said the drafting of the rules was "cautious and deliberate" while legislators engaged in close consultation with relevant stakeholders. He provided greater insight into the thinking behind the rules in a Hindustan Times op-ed in January, noting the "pragmatic and growth-oriented" approach to regulation.
"The rules are designed with simplicity and clarity, ensuring that every Indian, regardless of their technical knowhow, can understand and exercise their rights," he wrote, adding the regulation brings "graded responsibilities, taking into account the varying capacities of stakeholders."
Nuance in focus
The long-anticipated finalization and application of India's rules bring a new landscape for the country's highly globalized industries, including services in the health care and financial sectors. Given its global implications, understanding the unique requirements of India’s data protection law will be essential for organizations and individuals alike.
"The regulated consent manager model and the use of digital locker–based parental verification stand out as uniquely Indian solutions that may influence international privacy practice," Khan said.
The consent framework will be particularly nuanced compared to other global jurisdictions, highlighted by the introduction of consent managers. The law and clarifying rules place specific registration and operational requirements on managers, which are defined under the law as the single point of contact to enable data principals — the users of a service — to give, manage, review and withdraw consent for data processing.
"The consent-centric framework under the DPDPA requires businesses to embed strong consent-management processes into their organisational architecture to ensure that consent obtained from Data Principals is free, specific, informed, unconditional, and unambiguous," Priti Suri & Associates Parter Dhruv Suri said. "To operationalize this consent framework and maintain a reliable record of processing activities, companies will need to undertake a significant overhaul of their internal systems. This includes clearly mapping how personal data is collected, used, shared, and stored across all business functions."
Suri also pointed to novelty around potential redress for data principals under the law. He said while the DPDPA provides no statutory right to claim damages, the new rules indicate a mediation mechanism carried out by the DPB that "may serve as an indirect way for data fiduciaries to settle disputes with data principals."
The transition periods provided will help create a softer landing for organizational compliance, but Khan recommended covered entities be proactive with familiarizing themselves with the law and how it applies to them.
"Organizations should begin readiness work now," he said. "Mapping data flows, reviewing consent journeys, strengthening logging and security hygiene, and assessing retention practices. Starting early will prevent a bottleneck as enforcement approaches."
Joe Duball is the news editor for the IAPP.
