Hyderabad: Can a customer walk into a multinational company like Amazon and ask it to remove all her information from the company's database? She might have been able to delete her account, but could she ensure whether the company has removed her information? It would not have been possible until a month ago. With the draft Digital Personal Data Protection (DPDP) Rules, 2025 released in public domain seeking comments and feedback, the citizens can now look forward to a framework through which they can exercise their right to privacy.
The rules are framed under the Digital Personal Data Protection Act, 2023, which is yet to come into force. However, it has created ripples within the industry as now all companies and even government institutions would now have to comply with the rules. This would require both citizens and institutions to be mindful of how private data is shared, stored and used.
As per India Cyber Threat Report 2025 released by Data Security Council of India (DSCI) last year, south India is the hub of the largest number of malware attacks, with Telangana leading among all the states. This shows the need to enhance privacy systems.
"The rules and the law need to be welcomed because prior to this, we were functioning in a vacuum. The Act certainly needs some strengthening but it can be the starting point that enables us to at least start thinking about privacy," said Arjun Reddy Bojja, a High Court lawyer specialising in data protection and privacy.
"The multinational companies earlier worked under GDPR, which did not have a legal backing in India. Now we have our own specific legal framework to be handed over to them. Initially, smaller businesses have little compliance burden but with the hope that they should not abuse this freedom," Bojja said.
With time, the Act would need to be strengthened as technology is already progressing at light speed. Companies would need to enhance their data protection capacities.
“You would notice that while using certain applications, you are being asked to check the companies' privacy norms. This is because privacy as a concept came into policy as an afterthought. Now, everyone has to overhaul their existing systems to be able to bring in privacy and data protection as part of their design by default," said Sai Krishna Singupuram, Senior Cybersecurity Consultant, Cybersecurity Centre of Excellence (CCoE), DSCI, Hyderabad.
As individuals, when we give our 'consent' to applications for using our personal data, we need to be informed how, when and where the company is going to use that data. "This comes under the ambit of 'informed consent'. The end user must be aware of what personal and private information they are sharing and how it could be used," Sai Krishna said.
“We welcome the introduction of the Digital Personal Data Protection (DPDP) Act in India. Beyond merely complying with statutory requirements, the DPDP Act marks a crucial turning point in cultivating a privacy-first mindset across industries. Organisations must adapt their processes, from product design to customer engagement,” said Sriram Birudavolu, CEO, CCoE, DSCI.
Imagine this scenario: You walk into a bar. The waiter asks you for your ID card. All that the waiter needs to know is whether you are of the drinking age or not. But for that, do you need to show him your ID card, which has all your other personal and private information? Is there a way through which he can get only the information he needs and nothing else? "This is possible," said Sai Krishna.
“With the emerging privacy enhancing technologies, such interventions can be made. DSCI's report 'Privacy Engineering: Way Ahead' delves into emerging Privacy-Enhancing Technologies (PETs). So in the bar scenario, there would be third party systems helping them to scan the card and take only the information they need and not collect any other data. There are also data anonymisation techniques that can be used," he mentioned.
