India Drafts New Rules for Data Privacy

The government of India has drafted rules that will define how companies inside and outside of the country must handle its citizens’ data privacy.

A Comprehensive National Data Protection Law

A year and a half ago, India enacted its first ever comprehensive national data protection law: the Digital Personal Data Protection (DPDP) Act. The act defined key privacy rights for Indian citizens — to access, update, correct, challenge, port, and erase their data, plus additional safeguards for children’s data — and various obligations of data stewards to secure user data, maintain its accuracy, limit how it’s used, and more.

Debatable Provisions

Certain provisions are more debatable, though, like the continued exceptions afforded to government agencies. Sequretek’s Desai says that "The exemption granted to the government from these rules raises questions about fairness and accountability, especially given the government’s significant role as a service provider," says Sequretek’s Desai. "India’s digital infrastructure is heavily influenced by government-led initiatives, unlike in the West, where private enterprises dominate," making the rule more impactful than it would be in other countries.

Feedback Deadline and Implementation

The deadline for submitting feedback on the new draft rules is February 18. After the rules are activated, MeitY stated in a January 5 press release, "An adequate period would be provided so that all stakeholders, from small enterprises to large corporates, may transition smoothly to achieve compliance with the new law."