Centre Releases Draft Rules For Digital Personal Data Protection Act

After much anticipation, the electronics and IT ministry (MeitY) has released the draft rules for the Digital Personal Data Protection Act for public consultations till February 18. 

The proposed rules outline that data fiduciaries (entities that determine how personal data is processed) will need to provide data principals (end users whose data they are collecting) necessary details for them to give specific and informed consent for the processing of their personal data. 

The notification that data fiduciaries send to data principals should include an itemised description of the type of personal data that will be aggregated and the specific purpose for that data. With this, the users will have the power to withdraw their consent and make a complaint to the Data Protection Board of India for any violation.

“A Data Fiduciary shall protect personal data in its possession or under its control, including in respect of any processing undertaken by it or on its behalf by a Data Processor, by taking reasonable security safeguards to prevent personal data breach,” the draft bill reads. 

The data fiduciaries are expected to adhere to the following measures to prevent personal data breaches:

• Implementation of data security like encryption of personal data, masking or using virtual tokens linked to the data set.
• Measures to control access to the computer resources used by a data fiduciary or a data processor.
• Ensuring visibility on who is accessing  such personal data, through appropriate logs, monitoring and review, for enabling detection of unauthorised access, its investigation and remediation to prevent recurrence.
• Reasonable measures for continued processing in the event of confidentiality, integrity or availability of such personal data being compromised.
• Appropriate provision in the contract entered  between data fiduciary and a data processor for taking reasonable security safeguards.
• Technical and organisational measures to ensure effective observance of security safeguards.

The draft bill also outlines that cross-border data transfers can only occur if the central government allows it and the receiving country meets the specified data protection standards.

For Significant Data Fiduciaries (SDF) (Data Fiduciaries that handle high volumes of personal data that includes sensitive personal information such as biometric details or financial data), there are stricter obligations like audits and impact assessments.

“A Significant Data Fiduciary shall, once in every period of twelve months from the date on which it is notified as such or is included in the class of Data Fiduciaries notified as such, undertake a Data Protection Impact Assessment and an audit to ensure effective observance of the provisions of this Act and the rules made thereunder,” the draft rules read.

The rules will not apply to entities in the healthcare sector, educational institutions as well as child day care centres. 

Another key highlight of the draft rules is the outlining of requirements for data fiduciaries to obtain verifiable consent from parents or legal guardians before processing the personal data of children or individuals with disabilities. 

In particular, a data fiduciary will be required to implement measures to ensure that the individual providing consent for a child’s data processing is the child’s parent or legal guardian, and that the parent or guardian can be reliably identified.

Further, the draft says that the Indian State and its instrumentalities may process the personal data of data principals to provide or issue subsidies, benefits, services, certificates, licenses, or permits, as specified by law, policy, or the use of public funds. 

The draft rules come almost more than a year after the Parliament passed the Digital Personal Data Protection Bill, 2023. President Droupadi Murmu granted her assent to the Bill on August 11, 2023.