The government has unveiled the draft Digital Personal Data Protection Rules, a significant step in implementing the Digital Personal Data Protection Act, 2023. Released for public consultation, the draft rules outline compliance requirements for data fiduciaries—entities responsible for collecting and processing personal data—and emphasize safeguarding user privacy. Public comments on the draft are being solicited until February 18, with the final rules expected to be formulated thereafter.
The draft mandates that platforms, including e-commerce websites, social media platforms, and online gaming providers, must secure verifiable parental consent before allowing children to create accounts. This includes validating the parent's identity and age through officially issued identity proofs, such as those provided by government-authorized entities. Additionally, data fiduciaries must ensure that children's data is handled with due diligence, requiring technical and organizational measures to confirm parental consent.
Entities are restricted to using and processing personal data only when individuals have granted explicit consent, often managed through consent managers. These managers are tasked with maintaining records of such consents and are subject to suspension or cancellation of registration in cases of repeated violations.
Data Retention and Deletion Requirements
The draft proposes stringent rules for data retention. Data fiduciaries must retain personal data only for the duration consented to by users, after which it must be deleted. For platforms with substantial user bases, such as e-commerce and social media entities with over 2 crore registered users, the draft stipulates a data deletion timeline of three years post-usage. Users must be notified 48 hours before deletion, allowing them to request data retention if necessary for accessing services or funds.
In the event of a data breach, fiduciaries must notify affected users promptly, providing detailed information about the breach, potential consequences, mitigation measures, and contact details for further assistance. The draft also specifies that breaches should be reported to the Data Protection Board of India (DPBI) within 72 hours.
Provisions for Children’s Data
Special provisions are included for processing children’s data. Platforms must adopt robust technical safeguards to ensure parental consent is verifiable before any processing. Verification may involve using identity details issued by government-authorized entities or virtual tokens mapped to such details, as supported by services like Digital Locker.
Enhanced Responsibilities for Significant Data Fiduciaries
Significant data fiduciaries, as categorized by the rules, must undertake additional responsibilities. These include periodic Data Protection Impact Assessments and audits to ensure compliance. Fiduciaries are also required to prominently display the contact details of a data protection officer on their websites for grievance redressal.
Challenges for Businesses
The draft rules have been lauded for providing clear compliance guidelines but also pose operational challenges for businesses. Managing user consent, a core aspect of the law, may necessitate architectural and design changes to existing platforms. Organizations are expected to re-evaluate data collection practices, establish lifecycle protocols, and invest in technical infrastructure to ensure adherence to the rules.
Limited Guidance on Penalties
While the Digital Personal Data Protection Act, 2023, includes provisions for penalties of up to ₹250 crore for data fiduciaries in violation, the draft rules do not specify penalties, focusing instead on compliance mechanisms. Experts have pointed out that the absence of thresholds for data breach reporting could result in uniform treatment of breaches, regardless of severity, placing additional compliance burdens on businesses.
Future Directions and Public Feedback
The draft rules also address cross-border data processing, stipulating that Indian data processed abroad will be subject to conditions specified by the government. The rules underscore the need for transparency, requiring fiduciaries to clearly communicate the nature, purpose, and scope of data collection to users.
The Ministry of Electronics and Information Technology has assured stakeholders that feedback submissions will remain confidential. This collaborative approach aims to refine the draft rules, ensuring a balanced framework that protects user privacy while facilitating the digital economy's growth.
