Bringing comprehensive enforcement to India’s privacy landscape, the central government has officially notified the long-awaited implementation rules for the Digital Personal Data Protection (DPDP) Act, 2023. These stringent rules define the legal fiduciary responsibilities of tech platforms and operationalize the all-powerful Data Protection Board of India.
Key Highlights & Strategic Significance
- Verifiable Parental Consent Mechanism: The rules introduce uncompromising age-gating requirements. Platforms processing the data of minors (under 18 years) must use cryptographically secure methods to obtain verifiable, explicit parental consent without resorting to tracking the child’s online behavior.
- Empowering the Data Principal: Mandates the creation of a standardized, multi-lingual digital “Consent Artifact.” This dashboard allows everyday users (Data Principals) to view, manage, and instantly revoke their digital consent across all participating apps.
- Significant Data Fiduciaries (SDFs): Mega social media platforms and massive e-commerce sites classified as SDFs must appoint a resident, independent Data Protection Officer (DPO) in India and submit to annual, third-party algorithmic privacy audits.
- Mandatory Breach Reporting: Imposes a strict, non-negotiable legal mandate requiring data fiduciaries to report any personal data breach to both the Data Protection Board and the affected users within a maximum 72-hour window.
- Defined State Exemptions: The rules precisely define the boundaries of “legitimate state interest,” legally ensuring that government agencies are granted exemptions from privacy norms only under strict conditions of national security, sovereignty, and law enforcement.
Source Link: https://www.livelaw.in/top-stories/dpdp-act-rules-2026-notified-meity-data-protection-board-250891
Q6. Under the provisions of the Digital Personal Data Protection (DPDP) Act, an entity (whether a corporate company or a government department) that determines the specific purpose and means of processing an individual’s personal data is legally defined as a:
A) Data Principal
B) Data Fiduciary
C) Data Processor
D) Data Intermediary
