India's Data Protection Law Takes Shape: 18-Month Compliance Window for Firms

Image Source: Internet

The Indian government has finally notified the Digital Personal Data Protection (DPDP) Rules, paving the way for the country's first comprehensive data privacy law. The rules, published on November 13, establish the operational framework for the law and provide a detailed timeline for companies to comply. According to the rules, large firms have 18 months to comply with the main provisions, while smaller entities have until May 2027 to meet all requirements. The rules also introduce a one-year window before provisions on consent manager registration and related obligations take effect. The Data Protection Board (DPB) has been formally established, with its head office in the National Capital Region. The board will comprise four members, and the government has retained the prerogative to prevent breach notifications if it decides to. The rules require companies to notify affected users immediately after any personal data breach and inform the DPB within 72 hours. However, the provision allowing the central government to access citizens' personal data on vague grounds has raised concerns among privacy researchers and lawyers. The new rules also mandate companies to implement security safeguards, including encryption, access controls, and logging mechanisms. Additionally, the rules introduce a requirement for companies to retain processing logs and personal data for a minimum of one year. Large platforms, including e-commerce entities and social media intermediaries, must delete personal data after three years of user inactivity. The rules also introduce a requirement for companies to obtain verifiable parental consent before processing any child's personal data. The DPDP Act prohibits data fiduciaries from tracking or behaviourally monitoring children, as well as from conducting targeted advertising directed at them. However, the rules introduce an additional exemption, allowing tracking to determine a child's real-time location when necessary for their safety, security, or protection. The rules also outline user rights and grievance redressal mechanisms, including the right to withdraw consent and the requirement for companies to respond to grievances within 90 days. The government has also introduced a data localisation framework, allowing personal data to be transferred outside India subject to restrictions. However, the rules do not specify which data categories must remain within India, deferring that decision for future notification. The DPDP Act was passed by Parliament in August 2023, but the law could not be enforced without rules specifying operational details. The final rules incorporate feedback from a public consultation process held in January 2025.