What can users expect under India's new data privacy rules?

NEW DELHI - India has put new privacy rules into force, cutting back what personal data Big Tech can collect and giving ordinary people more control over their own information.

The government passed the stringent Digital Personal Data Protection (DPDP) act in 2023 but the new regime only went live last week when it finalised new rules curtailing the reach of Meta, Google, OpenAI and other tech firms.

"Transparency isn't optional anymore," the Ministry of Electronics and IT posted on X when the law went live.

The rules - akin to a broader privacy law adopted by the European Union - come as countries scramble to safeguard personal data from the rising power of artificial intelligence (AI), with almost a billion AI users in India alone.

Here's everything you need to know about the law:

What are the new data privacy rules?

The rules establish safeguards for digital platforms - from social media and e-commerce to banking and government services.

The change means companies will only be able to collect data that is deemed necessary for a specified purpose.

Firms will also have to give Indian users a clear explanation for the collection, allow them to opt out and tell them if their information is involved in a data breach.

They must obtain parental consent for under-18 users and are barred from using their data for targeted advertising, meeting a long-standing demand from digital rights activists.

The rules give an 18-month period for compliance.

How do the rules impact users?

Under the regulations, users can allow or deny the use of their personal data. Consent must be clear and easy to understand, and people can withdraw it at any time.

People can ask companies what personal data has been collected, why it was gathered and how it is being used.

They can ask companies to fix information that is inaccurate or incomplete. They can also update details when circumstances change, such as a new address or phone number.

People can ask their personal data to be erased in certain situations, though the exact details were not immediately clear.

Companies must respond to all access, correction, updating or deletion requests within 90 days.

Users can also to appoint someone to exercise their data rights in cases of illness or disability.

Why did the law take so long to come into effect?

The DPDP law comes into force two years after it was passed because the government sought comments on the draft and talked with startups, industry experts, civil society groups and government departments.

Regular citizens were also invited to share views; the IT ministry said it had received nearly 7,000 responses.

What do digital rights experts say?

Many tech experts see the rules as an important step in making India's growing digital space more secure.

Others said they create new barriers to transparency and individual freedoms, calling the consultations vague and thin.

The Internet Freedom Foundation, a digital rights group, said users lacked protections "even as large data processing entities gain greater discretion and benefit from opacity".

"IFF is especially dismayed that the (rules) provide statutory backing for enabling personal data collection by state agencies with scant oversight, thereby entrenching state control over personal data," the group said in a statement on X.

The government says that the rules put citizens at the centre of India's data protection system.

"The rules aim to curb unauthorised commercial use of data, reduce digital harms and create a safe space for innovation," the IT ministry said in a press release on Monday.

Are more changes expected?

India is drafting a host of other regulations in the digital space, including higher compliance requirements for AI companies and social media firms.

With nearly a billion users online, AI services - including ChatGPT, Perplexity and Google Gemini - count India among their biggest markets.

Last month, the government proposed that AI and social media firms should clearly label AI-generated content to tackle the spread of deep-fake and misinformation, prompted by similar moves from the European Union and China.

The stakes are high where fake news risks stirring up deadly strife between disparate communities and after AI-generated videos have alarmed officials during elections.

(Reporting by Annie Banerji; Editing by Lyndsay Griffiths.)