The Indian government has introduced a preliminary draft of the Digital Personal Data Protection (DPDP) Rules, inviting public consultation to refine its provisions.
“Data fiduciaries must deliver transparent and comprehensible details on the handling of personal information, enabling individuals to provide informed consent,” the Press Information Bureau (PIB) emphasized in a statement released Sunday.
“Citizens are endowed with rights to demand data deletion, designate digital nominees, and utilize streamlined mechanisms for data management,” the announcement continued.
The draft rules aim to operationalize the Digital Personal Data Protection Act, 2023, by enhancing individuals’ control over their information. They allow users to make informed decisions regarding data processing, request the erasure of data from digital platforms, and lodge complaints effectively.
Fortified Security Mandates for Businesses
Enterprises operating within Indian borders are mandated to implement rigorous data protection protocols, encompassing encryption, access restrictions, and regular data backups, to ensure personal information remains confidential, integral, and accessible.
Key stipulations of the DPDP Act for data fiduciaries include:
- Establishing systems to identify and resolve breaches while maintaining detailed logs.
- Reporting breaches to the Data Protection Board (DPB) within 72 hours (or more, if permissible), including a thorough breakdown of the incident’s sequence, mitigation actions, and involved entities, if identified.
- Purging personal data after a three-year retention period and issuing notifications to individuals at least 48 hours before such erasures.
- Clearly displaying the contact details of a designated Data Protection Officer (DPO) on websites and applications to address inquiries concerning personal data processing.
- Securing explicit parental or guardian consent before processing data related to minors under 18 or individuals with disabilities, except for specific exemptions granted to healthcare providers, educational institutions, and safety-related activities.
- Conducting annual Data Protection Impact Assessments (DPIAs) and comprehensive audits, with results submitted to the DPB for oversight (limited to fiduciaries categorized as “significant”).
- Complying with governmental stipulations for cross-border data transfers, which will be defined by an expert committee.
The draft also outlines protective measures for citizens whose data is processed by government entities, ensuring such activities are lawful, transparent, and adhere to established legal and policy standards.
Hefty Penalties for Non-Compliance
Organizations found guilty of mishandling data or neglecting breach notifications face penalties of up to ₹250 crore (approximately $30 million), underscoring the government’s commitment to stringent enforcement.
Public feedback on the draft is open until February 18, 2025. The Ministry of Electronics and Information Technology (MeitY) clarified that submissions would remain confidential.
A Long Journey Towards Privacy Legislation
The DPDP Act, ratified in August 2023 after several revisions since 2018, stems from a pivotal 2017 Supreme Court verdict that enshrined the right to privacy as a constitutional guarantee in India.
Telecommunication Cybersecurity Rules Add Layer of Protection
This development follows the Department of Telecommunications’ issuance of the Telecommunications (Telecom Cyber Security) Rules, 2024, under the Telecommunications Act, 2023. These rules impose rigorous guidelines for safeguarding communication networks and mandate data breach disclosures.
Telecom operators must report any security incidents to the federal government within six hours of discovery and provide supplementary details within 24 hours. Furthermore, they are required to appoint a Chief Telecommunication Security Officer (CTSO), an Indian citizen, to oversee compliance. They must also supply traffic data—excluding message content—in a specified format to bolster cybersecurity.
However, the Internet Freedom Foundation (IFF) has raised concerns over the draft’s ambiguous phrasing and the omission of the “traffic data” definition, cautioning that it could lead to potential misuse.