Hyderabad:The Ministry of Electronics and Information Technology on Friday unveiled the draft rules for the Digital Personal Data Protection Act, specifying the collection, storage, and processing of user data. The document also lists provisions for the privacy and security of data, especially for children. Additionally, it aims to establish a framework for consent and data breach notifications among other provisions.
Speaking to ETV Bharat, Naman Mishra, the founder of Sedax, a Blockchain-based encrypted eKYC solution, emphasised the significance of the Digital Personal Data Protection (DPDP) Act. "Regulating personal data is crucial to protecting individuals' privacy and fostering trust in digital services. The draft rules highlight explicit consent, strong security measures, and user rights to access and delete personal data," he said, adding that companies handling personal data must enhance their systems to prioritise privacy and security.
The Digital Personal Data Protection Act was passed by the Indian Parliament in August 2023, and the government is currently seeking public feedback on the draft rules via the MyGov portal until February 18, 2025.
Let's take a look at the highlights of the draft.
Digital Personal Data Protection (DPDP) - Draft Rules, 2025
1. Notice and Consent
- Notice:A Data Fiduciary (an entity or individual handling personal data) must give a notice before collecting your data. This notice must use simple, clear language, and provide an itemised list of the personal data being collected, along with a detailed explanation of why the data is needed and how it will be used.
- Explicit Consent: Before collecting your data, companies must obtain your explicit consent, ensuring you fully understand the purpose and usage of your data.
- Withdrawal of Consent: Data Principals (individuals whose personal data is being processed) can withdraw their consent anytime as easily as they gave it. This prevents companies from making the withdrawal process difficult or confusing.
- Consent Manager:There should be a Consent Manager to help manage and record user consent. It should be registered in India with a minimum net worth of Rs 2 crore. It must provide a certified interoperable platform and maintain strong security measures.
2. Data Collection and Security
- Data Minimisation: Companies can only collect necessary data and must delete it once its purpose is fulfilled.
- Security Measures: Companies must ensure reasonable security safeguards, such as encryption, access control, and data backups, to prevent unauthorized access or breaches. Contracts with Data Processors must also ensure compliance with security standards.
3. Children's Data
- Special Rules for Children:Companies must get verifiable consent from a parent or legal guardian before processing a child's personal data. The Data Fiduciary must verify the parent’s identity using government-issued IDs or digital tokens.
- Privacy Measures for Children: Identities on social media platforms and websites must be established through government-issued IDs or digital tokens.
- Exemptions:Educational institutions and child welfare organizations may be exempt from certain provisions regarding children's data, as outlined in Schedule IV.
4. Data Breach and Cross-Border Data Transfers
- Data Breach Notification: If a data breach happens, the company must notify both the affected individuals and the Data Protection Board promptly. The notification must include details about the breach, potential consequences, and mitigation steps.
- Cross-Border Data Transfers: Transfers can occur only with Central Government approval and if the receiving country meets specified data protection standards.
5. Significant Data Fiduciaries (SDF) and Contact Details
- Significant Data Fiduciary (SDF): These are large entities handling vast volumes of sensitive data. They must conduct annual Data Protection Impact Assessments (DPIA), audits, and ensure their algorithms do not harm Data Principals.
- Contact Details: Data Fiduciaries must publish contact details for data-related queries on their websites, apps, and responses. This includes the contact info of a Data Protection Officer (if applicable) or an authorized representative.
6. Rights of Data Principals
Data Principals can request access to their personal data and its erasure by contacting the Data Fiduciary to whom they gave consent. Requests must follow the published process and include the required particulars. Data Fiduciaries must clearly publish the process for exercising these rights and provide timelines for grievance redressal.
7. State Obligations and Enforcement
- State Processing of Data:The State must process personal data lawfully, for specified purposes, with data accuracy, security safeguards, and minimal retention. Individuals must be informed and provided contact details for inquiries.
- Search-cum-Selection Committee: Responsible for recommending candidates for the positions of Chairperson and Members of the Board that oversees the enforcement of the DPDP Rules, 2025.
- Data Protection Board: The draft rules propose establishing a Data Protection Board to investigate breaches and enforce penalties. The Board will operate as a digital office, with remote hearings and streamlined processes.
Pankit Desai, co-founder and CEO of Sequretek, a global cybersecurity solution provider, praised DPDPA for giving end users better control over their personal information, including the option to withdraw consent. "This is vital in today's digital age where personal details are spread across various platforms, posing privacy risks. It compels companies handle personal data securely and transparently and understand the data flow within their infrastructure, requiring them to track how data is collected, processed, stored, and ultimately deleted," he said to ETV Bharat.
Desai also expressed his desire for the bill to address practical challenges, such as how to obtain verifiable consent from populations. "More clarity on data localisation policies and the responsibilities of companies in the event of international data breaches would strengthen protections," he added.
