Data Protection Law Updates

On 3rd January, 2025 the Ministry of Electronics and Information Technology (MeitY) released the Draft Digital Personal Data Protection Rules (Rules) to facilitate the implementation of the Digital Personal Data Protection Act, 2023 (Act), which aims to strengthen the legal framework for the protection of digital personal data by providing necessary details and an actionable framework.

The Act was introduced to provide for the processing of digital personal data in a manner that recognizes (i) right of individuals (Data Principals) to protect their personal data and (ii) obligations on the persons in charge of personal data (Data Fiduciary) towards data security.

The Act along with the Rules marks a key step towards privacy of personal data.

Key Points:

  • Consent of Data Principal: Data Fiduciary to provide the Data Principal with clear with a clear and standalone notice outlining what data is to be collected, the purpose for the processing, and how consent can be withdrawn to obtain “informed consent”.
  • Consent manager: Consent managers shall enable the Data Principal to easily give, manage, review, and withdraw consent for data processing, maintaining records of the consent and data sharing. The Consent Managers must implement strong security measures to protect personal date, avoid conflicts of interest and ensure transparency and provide information to the Board, as required for audit. The Rules introduce a framework for consent managers, specifying certain qualifications and registration conditions, roles and responsibilities. Consent managers must maintain independence and prevent conflicts of interest with data fiduciaries.
  • Data Protection Board: The Rules provide for setting up of the Data Protection Board to grievances and enforce compliance with the DPDP Act. Further it also provides of appointment of its members, chairperson, salary, procedure for meetings, functions of the Board etc.
  • Reasonable Security Safeguards: Data Fiduciary shall protect personal data in is possession or under its control by taking reasonable security safeguards to prevent personal data breach, such as securing of such personal data through its encryption appropriate measures to control access to the computer, provide visibility on the accessing data via data logs, and enabling the detection of unauthorised access.
  • Informing about Data Breach: Data Fiduciary must inform the Data Principals and Data Board of any data breach and shall also provide the description of the breach, consequences, measures taken to mitigate risk and future safety measures.
  • Data Retention: Rules prescribe that select classes of data fiduciaries which include certain e-commerce entities, social media intermediaries and online gaming intermediaries with specified number of registered users in India, shall erase personal data unless the user remains active, and unless retention is necessary for compliance with any law.
  • Processing Data of Children or Dependents: The Rules outline the requirements for obtaining verifiable consent from parents or legal guardians before processing the personal data of children or persons with disabilities.
  • Data Protection Impact Assessments: Certain prescribed entities must conduct annual DPIAs and audits to ensure effective observance of the provisions of the Act and the Rules. This shall entail furnishing the report to the Board, observe due diligence to verify the software used. Such entities shall undertake additional measures specified by the Central Government recommend by the committee.
  • Cross Boarder Data Processing: Data Fiduciaries processing data within India or outside India in connection with offering goods or services to Data Principals in India must comply with any requirements the Central Government sets in respect of making such personal data available to a foreign State or its entities.
  • Penalty: Rules introduce strict penalties for data breaches, emphasising the importance of personal data protection. Data fiduciaries who fail to fulfill their obligations may face significant fines, compelling organisations to prioritise data security and compliance.
  • Exemptions: Rules specify several exemptions for data fiduciaries. Certain provisions related to judicial and regulatory functions, enforcement of legal rights and prevention of criminal activities may not require full compliance. Moreover, specific categories of data fiduciaries, such as startups and research organisations, might be exempted from some requirements. Clinical establishments, healthcare professionals, educational institutions, crèches and childcare facilities are also exempt from restrictions under the DPDP Act in specific cases.
  • Appeal: An aggrieved person can file an appeal in a digital form as specified by the Appellate Tribunal on its website which shall be accompanied by a fee payable by UPI or any other form authorised by the RBI.