In India, after extensive public debate, the Personal Data Protection Act, 2023, received Presidential assent on August 11, 2023. Following a wait of over a year, the Government of India (GOI) has now released the draft rules for the implementation of the Act for public scrutiny and feedback. These rules place significant responsibilities on Data Fiduciaries, who process the personal data of Data Principals (consumers) to deliver various services. According to the rules, data processing must adhere to the principle of necessity, ensuring that personal data is not retained indefinitely without purpose, thereby mitigating the risk of misuse.
Both the Act and the accompanying rules grant substantial rights to Data Principals, empowering them to manage their personal data by giving and withdrawing consent. While this framework appears robust on paper, it presents practical challenges for users. Given the vast number of websites and applications individuals interact with daily, it becomes nearly impossible for users to effectively manage their consents on their own.
