On January 3, 2024, the Ministry of Electronics and Information Technology (MeitY) introduced the draft rules for the Digital Personal Data Protection Act (DPDP), which was passed by Parliament in August 2023. The release of these rules marks a crucial step toward implementing the Act, aiming to create a robust framework for personal data protection in India. The government has invited public feedback on the draft rules through the MyGov portal, with the deadline for submissions set for February 18, 2025.
Key Highlights of the Draft Rules
1. Data Fiduciaries’ Obligations
The draft rules outline the responsibilities of Data Fiduciaries—entities involved in processing personal data. They are required to:
- Ensure compliance with data protection standards.
- Obtain informed and verifiable consent from Data Principals (individuals to whom the data belongs).
- Implement safeguards to prevent unauthorized data access or breaches.
2. Processing of Children’s Data
The rules emphasize protecting children’s personal data by mandating:
- Verifiable parental consent: A child’s parent or legal guardian must provide explicit consent for data processing.
- Specific exemptions: Data processing is permitted for essential activities, such as health services or educational purposes, provided these activities directly benefit the child.
3. Role of Consent Managers
The draft rules define Consent Managers as pivotal entities in the data protection ecosystem. These managers:
- Must be incorporated in India with a minimum net worth of ₹2 crore.
- Are required to maintain independence and prevent conflicts of interest.
- Provide a certified platform enabling Data Principals to manage, modify, or withdraw consent for data processing.
4. State’s Processing of Personal Data
The draft rules permit the State and its instrumentalities to process personal data under specific conditions, such as:
- Issuing subsidies, benefits, and services.
- Ensuring compliance with lawful and secure data handling practices.
5. Establishment of the Data Protection Board
A standout feature of the draft rules is the proposed Data Protection Board, which will serve as a regulatory body to:
- Address complaints and grievances.
- Investigate data breaches.
- Impose penalties for non-compliance.
The board will function digitally, offering remote hearings to increase accessibility and streamline operations.
Leave a Reply