India’s New Data Privacy Rules: Know how they impact you, apps & E-commerce Platforms

This is a major shift in how personal data will be handled across e-commerce platforms, social media companies, websites, apps, banks, and nearly every online service Indians use.

A Big Shift for Companies that Handle Data

Several changes in the Rules directly affect large online platforms. The Third Schedule of the Rules clearly outlines the obligations of big e-commerce companies, social media platforms, and online gaming intermediaries.

1. Large platforms must delete user data after three years of inactivity

One of the most important requirements is that big platforms must automatically delete your personal data if:

• You stop using their service, and
• Three years pass since your last login or interaction, and
• The data is not legally required for any purpose such as tax compliance or fraud investigation.

This rule applies to:

• E-commerce companies with 2 crore or more registered users
• Social-media intermediaries with 2 crore or more registered users
• Online gaming intermediaries with 50 lakh or more users (As specified in the Third Schedule of the Rules.)

This includes everyday personal details such as:

• Name
• Address
• Phone number
• Email ID
• Order history
• Saved payment information (if stored on the platform)

Until now, many companies kept user data forever, even if the user left years ago. This rule stops that practice.

2. Companies must notify you before deleting your data

Before deleting your information, platforms must send you a notice at least 48 hours in advance. This gives you a chance to log in or download your data if you want it to be retained. For the first time, users get actual control instead of being left unaware of how long companies keep their personal details.

3. Much stronger security obligations

Rule 6 of the DPDP Rules requires all platforms to implement “reasonable security safeguards”. Translated into simple language, it means companies must use proper tools and systems to protect your data, such as:

• Encryption
• Multi-factor access control
• Monitoring system logs
• Regular audits
• Restricted employee access

This ensures companies cannot be casual or careless with your personal information anymore.

4. Mandatory data-breach notifications

If your data leaks, platforms cannot hide it or delay informing you. Under Rule 7, they must immediately tell you:

• What happened
• What data was exposed
• What harm you may face
• What steps you should take
• What the company is doing to fix the issue

This improves transparency and allows users to take timely action, such as changing passwords or blocking cards.

5. Consent Managers for easier user control

The Rules introduce government-approved “Consent Managers”. These are online dashboards that let you:

• See all the apps and websites you have given consent to
• Withdraw consent quickly
• Update or manage permissions

This makes consent simpler and more centralised, especially for people who use many apps.

Heavy Penalties for Breaking Data-Protection Rules

With the creation of the Data Protection Board of India (DPB), the government now has a dedicated authority to investigate data breaches, examine user complaints, and impose penalties.

The law allows multi-crore penalties depending on the seriousness of the violation. These penalties can be extremely high:

• Up to Rs. 250 crore for failing to prevent major data breaches
• Up to Rs. 200 crore for not notifying users and the Board about a data breach
• Up to Rs. 200 crore for violating rules relating to children’s data
• Up to Rs. 150 crore for “Significant Data Fiduciaries” that fail to follow additional obligations
• Up to Rs. 50 crore for denying user rights like deletion, correction, or consent withdrawal

This is one of the strictest financial penalty systems in any Indian tech law and is designed to force companies to take data protection seriously.

Impact of Rules on Common People

1. Better privacy and control

Users can now demand that companies delete, correct, or share what data they hold, and companies must respond.

2. Data will no longer be stored forever

Automatic deletion for inactive users means companies cannot build giant databases of old personal information.

3. Safer digital experiences

Companies will be extra careful because the financial penalties are huge.

4. More transparency around data leaks

People will no longer be left guessing when their private details, passwords, or financial data have been exposed.

5. Stronger protection for children

Apps and platforms that serve children must obtain verifiable parental consent and avoid harmful data practices.

But There Are Gaps and Unanswered Questions

1. Government agencies get broad exemptions

This is one of the biggest concerns. The DPDP Act allows wide exemptions for the central and state governments and their instrumentalities when processing data for welfare schemes, subsidies, licences, or law enforcement.

This means:

• Government bodies do not have to follow the same strict rules as private companies.
• Oversight on government use of data remains weak.
• Citizens cannot easily question how their data is being used by the State.

Digital rights groups and civil-society organisations have repeatedly raised this as a structural problem.

2. Cross-border data rules still unclear

The Act says data may be transferred outside India except to countries the government bans. But no list or criteria have been released yet. Companies do not know which destinations will remain allowed.

3. No compensation guaranteed for data leak victims

If your data leaks, you get a notification, and the company may be fined.

• But you do not get automatic compensation.
• If you want damages, you must go to civil court.

4. Significant Data Fiduciary rules still unclear

The Act mentions extra compliance for large or high-risk platforms. But exact criteria and final list of such companies will come later.

Why Activists Say the Law Weakens the RTI Act

This is the most controversial part. The DPDP Act amends the Right to Information Act, 2005 by modifying Section 8(1)(j).

Earlier, personal information could still be shared under RTI if:

1. The public interest justified it, and
2. The information could not be withheld from Parliament.

These two safeguards were crucial for exposing corruption involving public officials.

Now, the amended clause simply says “personal data” cannot be disclosed. This could be interpreted to deny:

• Beneficiary lists
• Public servant transfers and postings
• Disciplinary records
• Information related to misuse of public funds connected to individuals

RTI activists warn that corruption cases could become harder to investigate because officials may hide behind the phrase “this is personal data”.

Support our journalism by subscribing to Taxscan premium. Follow us on Telegram for quick updates