1. INTRODUCTION
1.1. India enacted Digital Personal Data Protection Act, 2023 (“DPDP Act”) in August 2023. The Government of India through the Ministry of Electronics and Information Technology (“MEITY”) released the draft Digital Personal Data Protection Rules, 2025 (“Draft Rules”) for public consultation and comments under the DPDP Act on January 3, 2025. Comments on the same can be provided to MEITY till February 18, 2025. Comments on the Draft Rules may be submitted on the website of MyGov (https://mygov.in).
1.2 The Draft Rules shall provide detailed guidance and clarification on the implementation of the provisions of the DPDP Act, to ensure effective compliance and enforcement.
1.3. Rule 16 to Rule 20 of Draft Rules (Data Protection Board) shall come into force on the date of their publication in the Official Gazette. The operational requirements stipulated under Rules 3 to 15 of Draft Rules and Rules 21 and 22 of Draft Rules shall come into force on a specific date as notified at a later stage. This would give businesses time to comply.
2. NOTICE BY DATA FIDUCIARY [Rule 3]
2.1. The notice provided by the Data Fiduciary to the Data Principal shall:
a) Be independently understandable without reliance on other information.
b) Clearly provide an itemized description of the personal data being processed, the specific purpose of processing, and an itemized description of the goods or services enabled by such processing.
c) Include a web-link to the Data Fiduciary’s website or app, and details on how the Data Principal can withdraw consent, exercise rights under the DPDP Act, or lodge a complaint with the Data Protection Board.
3. CONSENT MANAGER [Rule 4 & First Schedule]
3.1 Consent Manager must be a company incorporated in India and registered with the Data Protection Board, having a minimum net worth of two crore rupees, and a certified interoperable platform enabling Data Principals to manage their consent.
3.2. The Consent Manager shall ensure that Data Principals can easily give, manage, review, and withdraw consent for data processing. Further, it should maintain the records of consents and data sharing and provide transparent access to such records in accordance with Part B of the First Schedule of the Draft Rules.
4. REASONABLE SECURITY SAFEGUARDS [Rule 5]
4.1. A Data Fiduciary shall protect personal data under its control, including data processed by a Data Processor, by implementing reasonable safeguards to prevent breaches. These include:
a) Securing data through encryption, obfuscation, masking, or virtual tokens.
b) Controlling access to computer resources.
c) Using logs and monitoring to detect, investigate, and prevent unauthorized access.
d) Ensuring continued processing through backups in case of data compromise.
e) Retaining logs and data for at least one year unless, otherwise required by law.
f) Including security safeguard provisions in contracts with Data Processors.
g) Adopting technical and organizational measures to ensure compliance.
INTIMATION OF PERSONAL DATA BREACH [Rule 7]
5.1. Intimation to Data Principal: Upon becoming aware of a personal data breach, the Data Fiduciary shall promptly notify affected Data Principals through their user account or registered communication channel. The notice shall include a description of the breach (nature, extent, timing, and location), likely consequences, measures taken to mitigate risks, safety measures for protection, and contact details for queries.
5.2. Intimation to Data Protection Board: The Data Fiduciary shall immediately inform the Data Protection Board of the breach, detailing its nature, extent, timing, location, and likely impact. Within 72 hours, or a longer period if permitted, the Data Fiduciary shall provide an updated breach description, relevant facts and reasons, risk mitigation measures, findings on the responsible party, remedial actions, and a report on notifications sent to affected Data Principals.
6. LIMITATION IN RETENTION PERIOD FOR DATA FIDUCIARIES [Rule 8]
Certain classes of Data Fiduciaries such as e-commerce and social media intermediaries (with at least 2 crore registered users), and online gaming intermediaries (with at least fifty lakh registered users), must delete/erase personal data of its Data Principals post three (03) years of the data collection of such date, for all purposes except for user account access and token-based services. However, personal data may be retained for a longer period if required for compliance with any applicable laws. Data Fiduciary must notify Data Principals at least 48 hours before such an erasure.
7. CONTACT INFORMATION OF PERSON TO ANSWER QUESTIONS ABOUT PROCESSING [Rule 9]
Every Data Fiduciary must clearly display on their website or app, the contact details of a designated person who can address questions regarding the processing of personal data.
8. PERSONAL DATA OF CHILDREN [Rule 10, 11, Fourth Schedule]
8.1. A Data Fiduciary must implement technical and organizational measures to ensure verifiable consent from a parent or lawful guardian before processing a child’s personal data, by way of:
a) reliable identity and age details already available with the Data Fiduciary, or
b) identity and age details as voluntarily provided by the parent, or
c) a virtual token issued and verified by an authorized entity, including those facilitated by a Digital Locker service provider.
8.2. Exceptions: Certain Data Fiduciaries, including those in the healthcare industry, clinical establishments, educational institutions, and childcare facilities, may not be required to seek parental or guardian consent before processing the data of children or persons with disabilities.
9. ADDITIONAL OBLIGATIONS FOR SIGNIFICANT DATA FIDUCIARIES [Rule 12]
9.1. A Significant Data Fiduciary should conduct a Data Protection Impact Assessment and audit to ensure compliance with the DPDP Act and Draft Rules once every 12 months. The findings must be reported to the Data Protection Board. The Significant Data Fiduciary must also ensure that algorithmic software used by it for personal data processing does not pose risks to Data Principals' rights.
9.2. Significant Data Fiduciary must ensure that personal data, as specified by the Central Government, is not transferred outside India.
10. RIGHTS OF DATA PRINCIPAL [Rule 13]
10.1. Data Fiduciaries and Consent Managers must publish on their website or app the manner in which Data Principals can exercise their rights including requirement of any identifiers to identify the Data Principal.
10.2. Data Fiduciaries and Consent Managers must publish the grievance redressal response time and implement measures to ensure timely responses by implementing effective technical and organizational measures.
10.3. Data Principals can nominate individuals to exercise their rights according to the terms of service and applicable laws.
11. CROSS BORDER DATA TRANSFER [Rule 14]
Data Fiduciaries processing personal data within India or outside India in connection with offering goods or services to Data Principals within India must comply with any requirements the Central Government sets in respect of making such personal data available to a foreign state or its entities.
12. DATA PROTECTION BOARD OF INDIA [Rule 16-21]
12.1. The Draft Rules outline the functioning of the Data Protection Board of India (“Data Protection Board”).
12.2. The Data Protection Board will operate as a "digital office" under the DPDP Act, utilizing "techno-legal measures" to conduct proceedings without the need for physical presence.
12.3. An appeal by a person aggrieved by an order or direction of the Data Protection Board, shall be filed in digital form, with the Telecom Disputes Settlement and Appellate Tribunal.
13. EXEMPTIONS [Rule 15]
The processing of personal data for research, archiving, or statistical purposes is exempted from the provisions of the DPDP Act and the Draft Rules, provided that such processing is conducted in compliance with the standards outlined in the Second Schedule of the Draft Rules.
14. GOVERNMENT ACCESS REQUEST [Rule 22]
The Central Government has wide powers to ask any Data Fiduciary or intermediary to provide such information as it may require for purposes listed in the Seventh Schedule of the Draft Rules and through the corresponding authorized person. In case any information relates to the sovereignty and integrity of India, the Government may prevent disclosure of the information by the Data Fiduciary or intermediary without prior written permission of the authorized person.
We would be delighted to assist you navigating the Indian data law and in case of any queries you can reach out to us at:
Rajat Prakash (Managing Partner) | |
Siddharth Mahajan (Partner) | |
Simranjeet Singh (Partner) |
DISCLAIMER
The update is intended for your general information only. The information and opinions contained in this document are derived from public sources which we believe to be reliable and accurate but which, without further investigation, cannot be warranted as to their accuracy, completeness, or correctness. It is not intended to be nor should be regarded as legal advice, and no one should act on such information without appropriate professional advice. Athena Legal accepts no responsibility for any loss arising from any action taken or not taken by anyone using this material.
コメント