The ministry of electronics and information technology on Friday evening released the draft Digital Personal Data Protection Rules for public consultation, setting the stage for operationalising India’s personal data protection regime more than 16 months after the act was notified in August 2023.
These rules are the key to operationalising India’s Digital Personal Data Protection Act (DPDPA), which has been in the making since an expert group formed under the chairpersonship of former Chief Justice of the Delhi high court AP Shah in 2011, recommended India come out with a privacy law.
In 2017, a nine-judge bench of the Supreme Court unanimously recognised the fundamental right to privacy as guaranteed under the Constitution.
Some of the key obligations the rules propose from a user’s perspective are requirements for a service provider to clearly and in detail specify what data is being ingested and an immediate alert in the event that their data is breached (for instance, in the case of a hack or a leak). The rules also lay down that verifiable parental consent will be required for those under 18 signing up for a service that needs personal data.
Given the widespread impact – almost all business and activity with any digital interface is covered by this framework — the draft rules propose a staggered implementation, with provisions related to the Data Protection Board (DPB) coming into immediate effect while other aspects like notice requirements and consent management will be implemented later.
The public can submit comments on the draft rules through the MyGov portal until February 18.
DPB, which will be vested with civil court powers, will be responsible for adjudicating personal data breaches and can impose penalties up to ₹250 crore.
For data breaches, fiduciaries must inform both DPB and affected users “without delay,” with detailed reports required within 72 hours. The rules also mandate specific data retention periods and require companies to notify users 48 hours before data deletion.
Under the Act, every data fiduciary (an entity determining the purpose and method of data processing) must give a notice to a data principal (user) with/before seeking consent. The draft rules propose that such notice must have an itemised description of the personal data that will be processed, the purpose, and an itemised list of goods or services that will be provided through such processing.
All data fiduciaries will need to publish contact details of their Data Protection Officers (in case of significant data fiduciaries) or any other person who can address user queries. The rules also introduce strict requirements for processing children’s data, mandating “verifiable consent” from parents or guardians before companies can handle personal information of users under 18 years. The rules propose that data fiduciaries carry out necessary due diligence to ensure that they establish the guardianship of the adult providing consent in such cases.
However, the framework includes exemptions for services, including health care providers, educational institutions, childcare centres, and school transport services.
Nikhil Narendran, partner at Trilegal, said the children’s data provisions are similar in impact to the controversial Australian law that ultimately led to the country banning social media for children under the age of 16.
Large technology platforms can be notified as “Significant Data Fiduciaries” by the central government depending on their impact on national security, public order and electoral democracy, among other things. In addition to annual impact assessments and data audits prescribed under DPDPA, the rules propose that they must verify that their algorithms do not risk users’ rights. The rules also propose that the Centre can define the kind of data that such SDFs will have to localise within India’s borders.
Under section 36 of the Act, the central government can demand any information from DPB, a data fiduciary, or an intermediary. The draft rules prohibit the data fiduciary or the intermediary from making disclosures about such demands, a move that Narendran calls “very broadly interpreted” and potentially “unconstitutional”.
The rules set out three purposes under which it can be done: First, when data is to be used by the State in the interest of national security. Second, to perform any lawful function and to disclose any information under any law. And third, to assess when to classify a data fiduciary or a class of data fiduciaries as a significant data fiduciary.
To be sure, the DPDP Act only applies to data that is processed digitally. It does not apply to analogue processing of data. However, if this data was to be scanned and stored in a computer, it would be covered.
Under the Act, DPB is responsible for adjudicating complaints related to personal data breaches.
The draft rules detail the formation of two search-cum-selection committees — one headed by the cabinet secretary to select the DPB chairperson with a proposed salary of ₹4.5 lakh per month, and another led by the MeitY secretary to select board members who would earn ₹4 lakh monthly.
The draft Rules detail how the DPB will hold its meetings, and how matters will be decided upon via voting: while one-third of the DPB is required for quorum, the rules empower the DPB chairperson to take action in “emergent situations” and communicate the decision to all members within seven days, and lay before the Board for ratification in the next meeting.
DPB, as under the Act, must function as a “digital office” and can adopt “techno-legal measures” to conduct proceedings so that the physical presence of any individual is not required.
The draft rules specify that consent managers must be Indian companies with a minimum net worth of ₹2 crore and obtain independent certification. They are required to maintain consent records for at least seven years and cannot outsource their services to data processors.
Aprajita Rana, partner at AZB & Partners, said that the rules for consent managers are stringent, with restrictions on subcontracting their obligations, and check of conflict of interest with data fiduciaries. This means that it will be difficult for Big Tech to develop consent managers because of disclosure and conflict of interest requirements. “Most likely, we will see independent entities coming into this role. The obligations, however, are more stringent than expected by the industry,” she said.
For government access to data, the rules propose that state instrumentalities can process personal data without fresh consent to provide subsidies, benefits, services, licenses or permits. They only need to intimate users about such processing.
The draft rules are particularly significant for social media and gaming platforms. The definition of a ‘social media intermediary’ is expanded to the definition of an “intermediary”, in contrast to existing IT Rules.