The Indian government has published draft of the Digital Personal Data Protection Rules (DPDP) for public consultation.
“Trustees must provide clear and accessible information about how personal data is processed, ensuring informed consent” – Press Information Bureau of India (PIB) said in a statement released on Sunday.
“Citizens have the right to request data erasure, appoint digital nominees and access convenient mechanisms to manage their data.”
The regulations, which aim to implement the Digital Personal Data Protection Act 2023, also give citizens more control over their data, giving them the ability to give informed consent to the processing of their information, as well as the right to erasure through digital platforms and to address grievances.
Companies operating in India must also implement security measures such as encryption, access control and data backup to protect personal data and ensure its confidentiality, integrity and availability.
Some other important provisions of the DPDP Act to be followed by trustees are listed below –
- Implementation of mechanisms for detecting and eliminating violations and keeping logs
- In the event of a data breach, provide details of the sequence of events leading up to the incident, the actions taken to mitigate the threat and the identity of the person(s), if known, within 72 hours (or more if permitted) to the Data Protection Board (DPB)
- Delete personal data that is no longer needed after a three-year period and notify individuals 48 hours before such information is deleted
- Clearly indicate on your websites/apps the contact details of the Data Protection Officer (DPO) responsible for resolving any questions regarding the processing of users’ personal data
- Obtain verified consent from parents or legal guardians before processing personal data of children under the age of 18 or people with disabilities (exceptions include health professionals, educational institutions and child care providers, but only for specific activities such as health services, educational activities, security control and traffic tracking)
- Conduct a Data Protection Impact Assessment (DPIA) and comprehensive audit once a year and report the findings to the DPB (limited to data trustees deemed “significant”)
- Adhere to the requirements set by the federal government when it comes to cross-border data transfers (the exact categories of personal data that must remain within India will be determined by a dedicated committee)
The draft rules also offer certain safeguards for citizens when their data is processed by federal and state government agencies, requiring that such processing be lawful, transparent, and “in accordance with legal and
policy standards’.
Organizations that misuse or fail to protect individuals’ digital data or report a security breach to the DPB can face fines of up to 250 crore rupees (almost $30 million).
The Ministry of Electronics and Information Technology (MeitY) is seeking public feedback on the draft regulations by February 18, 2025. It also says that the materials will not be disclosed to any party.
DPDP Act Bldg formally passed in August 2023 after several revisions since 2018. Data Protection Regulation came out in view of the Supreme Court of India’s 2017 judgment upholding the right to privacy as a fundamental right under the Constitution of India.
The development comes more than a month after the Department of Telecommunications issued The Telecommunications (Cyber Security of Telecommunications) Regulations, 2024, pursuant to Telecommunications Act of 2023to ensure the protection of communications networks and introduce strict guidelines for the disclosure of data breaches.
Under the new rules, a telecommunications organization must notify the federal government of any security incident affecting its network or services within six hours of becoming aware of it, with the affected company also required to share additional relevant information within 24 hours.
In addition, telecom companies are required to appoint a Chief Telecommunications Security Officer (CTSO), who must be an Indian citizen and a resident of India, and share traffic data – excluding message content – with the federal government in a specified format to “protect and ensure telecommunications cyber security” .
However, the Internet Freedom Foundation (IFF) said “over-wording” and removing the definition of “traffic data” from the draft could open the door to abuse.
