On 11 August 2023, India enacted the Digital Personal Data Protection Act, 2023 (DPDP Act), establishing a framework for the collection, use, and governance of personal data. The Act builds on principles such as fairness, lawful processing, and accountability – which set the foundation for defining rights and obligations for data fiduciaries, processors, and principals. And now, the government has taken an important step towards operationalizing the Act. It has released the DPDP Rules (Draft Rules) for public consultation. Comments can be submitted here, before 18 February. The draft Rules serve as a preview of the regulatory expectations organizations may need to align with. We analyse and summarize the Draft Rules and unpack their implications.
Breaking down the draft rules
1. 1. When will the Rules come into effect? There is a phased timeline for implementation. Provisions relating to the Data Protection Board (Rules 16-20) will take effect upon notification in the official gazette, while key operational requirements (Rules 3-15, 21, and 22) will be implemented later, without a specific timeline. This approach should provide businesses and organizations with time to align their operations, even if clarity on specific timelines will be crucial for effective preparation.
2. How should businesses provide a notice for consent? Businesses must provide clear, standalone notices to users about how their personal data will be handled (Rule 3). These must specify what personal data will be processed, its intended purpose, and the exact goods, services, or outcomes it enables. They must also include a link to the company’s website or app, explain how users can withdraw consent as easily as they gave it, and outline how they can exercise their rights under the Act or lodge complaints with the Data Protection Board (DPB). Businesses will have to consider how to balance transparency with practicality, especially as processing activities evolve.
3. Who are Consent Managers (CM)? Consent Managers (CM) enable users to give, manage, review, and withdraw their consent for processing their personal data by Data Fiduciaries (DF) (Rule 4 & First Schedule). To become a CM, companies must register with the DPB and meet certain conditions and adhere to certain obligations. CMs must operate independently and avoid any conflict of interest with DFs.
4. How can government organizations process personal data? Government organizations can process personal data to deliver subsidies, benefits, services, licenses, or permits. There are guidelines: processing must be lawful and necessary, data retention should be limited, and robust security safeguards are a must. Government organizations must also ensure data is accurate and to inform individuals about how their data is being used. Individuals must have consented to receive the benefit or it should be provided under law, policy, or public funding. (Rule 5 & Second Schedule)
5. What security safeguards should be adopted? DFs must implement security safeguards such as encryption, obfuscation, virtual token mapping, and strict access controls. These measures must also be contractually reinforced between DFs and processors. Operationalizing this requirement will require a review of existing contracts to clearly define roles and responsibilities between DFs and DPs.
6. How should organizations report a data breach? DFs must alert affected data principals and the Board as soon as they learn about a data breach (Rule 7). Then within a 72-hour deadline they must provide more details, including date, time, extent, potential impact, and containment measures. Right now, all breaches are treated the same—no matter how minor or severe. There is also the question of reporting to multiple authorities like the CERT-In, DPB, and sectoral regulators.
7. How long can you retain data? Specific DF classes (online gaming, social media, ecommerce) crossing user thresholds must erase personal data after three years, with exceptions for user account access and token-based services. They must notify data principals 48 hours before erasure, allowing retention only for legal compliance (Rule 8 & Third Schedule). DFs not covered by the thresholds (including those in e-commerce, social media and online gaming) will need to make individual determinations of when data can be considered to not serve the specified purpose and accordingly implement a retention timeline.
8. How should DFs process children’s data? To obtain parental consent, DFs must implement reliable parent/guardian verification systems but can choose how to do it: whether through existing information available with them or government-authorized digital tokens. While this provides businesses with flexibility to verify parental consent, concerns over broad-based age verification remain. Further, healthcare providers, educational institutions (with a definition broad enough to potentially include edtech), and essential service providers are exempt from both the requirement to take parental consent and restrictions on tracking, behavioural monitoring of children. This may not act as a blanket exemption – businesses must consider implementing a risk-based approach to age verification, tracking and behavioral monitoring to avoid harms (Rule 10,11 & Fourth Schedule)
9. What are the obligations for Significant Data Fiduciaries (SDF)? SDFs are required to carry out a Data Protection Impact Assessment and audit every twelve months, and furnish a report to the Board containing its observations. Additionally, they are required to verify algorithmic software that may be deployed by it for processing personal data does not pose risks to a DP’s rights. The requirement for annual audits and DPIAs may be challenging to adhere to, while it is unclear how SDFs must verify algorithmic software.
10. Can data be transferred outside India? A Central Government committee (yet to be defined) holds the power to dictate which personal data and associated traffic data held by SDFs must be kept within India (Rule 12(4)). Moreover, DFs will need to meet specific requirements that will be prescribed by the Central Government for making personal data available to foreign states or entities (Rule 14). This may re-open the door to data localization, and contrasts with the Act, which allows cross border data transfers except to the countries restricted by the government.
11. How should data principals exercise their rights? Data principals can exercise their rights through clear, published mechanisms that outline request procedures, identification requirements, and grievance redressal processes. They can access, erase, and nominate representatives for their personal data, with DFs and consent managers obligated to provide transparent and accessible means for rights execution (Rule 13).
12. What about the DPB? The Central Government will constitute separate search and selection committees for the Chairperson and other Members, comprising high-ranking government officials and domain experts. Appointees must possess specialized knowledge in fields like data governance, law, technology, or regulatory frameworks, ensuring a comprehensive and qualified Board. (Rule 16-20).
13. What is the process for appeal? Aggrieved parties can file digital appeals to the Appellate Tribunal against Board orders, with fees payable through digital payment systems and discretionary fee waivers. The Tribunal operates as a digital office, guided by natural justice principles, and has the flexibility to regulate its own procedures while maintaining the power to summon and examine individuals (Rule 21).
14. What are the government’s power to call for ‘information’? The government has expansive powers to call for information, enabling it to requisition information from DFs and intermediaries for specified purposes (schedule 7), while maintaining safeguards.
15. Are there other exemptions? Processing of personal data for research, archiving or statistical purposes is exempt, subject to adherence to standards that ensure data is used lawfully, without making individual-specific decisions and maintaining responsible data governance practices (Rule 15).
The path ahead
While the Draft Rules may provide clarity on implementation and compliance, certain areas like breach reporting, processing children’s data, DPIAs and audits, cross-border transfers etc. require closer attention. Businesses must both engage with the consultation process to help refine the final framework and start the work to implement the rules into their operations.
If you have any questions or need further clarification on how the draft DPDP Rules might impact your organization, please do not hesitate to reach out.
Image credits: Pixabay
