Awareness key to digital personal data protection

The notification of the Digital Personal Data Protection (DPDP) Rules, 2025, marks the operationalisation of a comprehensive legal framework governing digital personal data protection in India under the DPDP Act, 2023. These rules provide for the processing of digital personal data in a manner that recognises the right of individuals to protect their personal data, societal rights and the need to process personal data for lawful purposes. As the Act demands informed consent and transparency, a gap in digital literacy undermines the effectiveness of the rules in ensuring a simple, citizen-focused and innovation-friendly framework for the responsible use of digital personal data, as claimed by the government. Especially in regions like the northeast, where the digital divide continues to persist and excludes many rural and marginalised communities from digital access, ensuring informed consent for processing personal data collected by data companies or government agencies will first require building awareness about various legal aspects of personal digital data and how the rules can protect them from misuse of their digital data. The rapid spread of the internet, e-commerce, e-governance, and social media marketing has led to phenomenal growth in the collection of digital users in the country, and in the process, the volume of personal digital data collected by various apps, websites, or government departments has also grown exponentially. Transparency, promised under the DPDP Act and Rules, demands these data-collecting agencies share with users how they are using the data and obtain prior consent before they share it with a third party. The seven core principles in the Act are consent and transparency, purpose limitation, data minimisation, accuracy, storage limitation, security safeguards, and accountability. The rules require the apps, websites, portals and government departments to issue standalone, clear and simple consent notices that transparently explain the specific purpose for which personal data is being collected and used. It also makes it mandatory that the Consent Managers, i.e., the entities that help individuals manage their permissions, must be Indian companies. The Act mandates that to ensure stronger protection, the data-collecting companies, departments and agencies must obtain verifiable consent before processing the personal data of children, with limited exemptions for essential purposes such as healthcare, education and real-time safety. For persons with disabilities who cannot make legal decisions even with support, consent must come from a lawful guardian verified under applicable laws, it adds. But transparency demands more clarity in terms like 'real-time safety' and 'essential purpose', and the rules must provide for checks and balances against abuse of ambiguity by unscrupulous companies to collect personal digital data of users. For parents of children belonging to marginalised households and without much digital literacy, obtaining verifiable consent will remain a grey area if the digital literacy does not precede digital data collection. For, if the users are clueless as to why they are sharing their data with an app or website, any claim by a company about obtaining informed consent carries no meaning. Nevertheless, the stronger legal provisions empower informed digital users to raise and escalate grievances against a data-collecting company if they come across any breach of their digital personal data in violation of the provisions of the DPDP Rules and the principal Act. The Unique Identification Authority of India (UIDAI) has already initiated a comprehensive strategic and technological review to shape the next decade of Aadhaar's evolution through a new 'Aadhaar Vision 2032'.  Apart from focusing on leveraging cutting-edge technologies such as artificial intelligence, blockchain, quantum computing, advanced encryption, and next-generation data security mechanisms, the new Aadhaar policy document will also outline the framework for next-generation Aadhaar architecture aligned with DPDP. The alignment of the Aadhaar framework with DPDP may have positive outcomes, such as verifiable and specific consent being mandatory before using this digital identity for financial purposes like Know Your Customer, which will also reduce unauthorised data sharing by data-collecting companies and departments, but as in other cases of personal digital data sharing, the prevalence of gaps in digital literacy will render obtaining verifiable consent for Aadhaar data collection unclear, with the users not aware of their rights to protect personal digital data and procedures to exercise it to prevent misuse of their digital identity. The objectives of protecting personal digital data under the new legal regime will remain unachieved as long as digital users are not made aware of their rights and how the system of digital data collection works and why the companies must secure consent from them. The notification of the DPDP Rules needs to be followed by a widespread awareness campaign about the legal architecture and rights of the citizens so that they can contribute to making data governance in the country robust and safeguarded from digital fraud through informed consent. Such campaigns prioritising rural areas are crucial to make the DPDP Rules truly citizen-centric and simple, accessible, rational and actionable, as promised.