The Ministry of Electronics and Information Technology issued the much awaited draft Digital Personal Data Protection Rules ("Draft Rules") on January 3, 2025. This is a significant step towards consolidating and establishing India's personal data protection framework. The Draft Rules, much like the Digital Personal Data Protection Act, 2023 ("Act"), are largely positive and provide enough details to make India's data protection framework comprehensive without introducing unnecessary complexity.
These Draft Rules are open for public consultations and stakeholders are to provide their comments by February 18, 2025.
A brief overview of the Draft Rules is provided below.
1. Commencement of the Draft Rules [Rule 1]: The Draft Rules will be implemented in a phased manner – the provision on setting up and operation of the Data Protection Board ("Board") will come into effect immediately upon publication of the final version of the Draft Rules in the Official Gazette and the other compliance provisions will be effective from a later date (which will be prescribed in the final version of the Draft Rules). Meaning, akin to General Data Protection Regulation, 2016, a transition period will be provided to Data Fiduciaries and Data Processors to comply with the provision of the Act and the rules thereunder. During a press conference, the Minister for Electronics and Information Technology, Mr. Ashwini Vaishnaw, mentioned that the transition period of about 2 (two) years will be provided for compliance with the Act and the rules thereunder. Whether the transition period will remain the same for all stakeholders or will vary (depending on the size, scale, sector, etc) is not clear.
2. Notice [Section 5 r/w Rule 3]: The notice provided by the Data Fiduciary to the Data Principal at the time of obtaining consent needs to be clear, standalone and understandable. The notice should inter alia contain an itemised description of the personal data, the purpose of processing, and the goods and services provided or uses to be enabled by such processing. Additionally, a communication link for accessing the website/app (or both) of the Data Fiduciary is to be provided (along with a description of any other means) through which the Data Principal can exercise her rights (including withdraw consent, ensuring that the process of withdrawal is as simple as the process of giving consent) or make a complaint to the Board. Effectively, the mode of providing the notice and how it may be integrated into the user interface design has been left to the discretion of Data Fiduciaries and ultimately, emerging market practice may drive practical implementation.
3. Reasonable Security Safeguards [Section 8(5) r/w Rule 6]: Data Fiduciaries are to implement security measures such as encryption, obfuscation, masking, use of virtual tokens mapped to personal data, setting strict access controls, etc., to prevent personal data breaches. This leaves room for Data Fiduciaries to navigate internal security architecture commensurate to the kind of processing being carried out provided the core principles (as prescribed) of the approach are not compromised. This is a positive step over prescribing security standards (like ISO 27001) which can become restrictive and also possibly outdated. Appropriate logs need to be maintained for a period of 1 (one) year for enabling detection and addressing breaches. These security measures must also be contractually passed on to the Data Processor thereby warranting review and amendment of existing contracts between the Data Fiduciary and Data Processors.
4. Intimation of Personal Data Breach [Section 8(6) r/w Rule 7]: On becoming aware of a personal data breach, the Data Fiduciary is required to, without any delay, intimate each affected Data Principal of such breach. This intimation can be done through the user account or any mode (opted by the Data Principal with the Data Fiduciary) and shall include a description of the breach, consequences that are likely to arise from the breach and which are relevant to the Data Principal, corrective measures implemented/being implemented, safety measures the Data Principal may take to protect her interest, and contact details of the person who will respond to any queries on behalf of the Data Fiduciary.
Similarly, the Data Fiduciary is also required to intimate the Board of such occurrence of breach promptly, and with more detailed information, within 72 (seventy-two) hours of becoming aware of the breach. This intimation should contain details such as (a) description of the breach, (b) broad facts related to events, circumstances and reasons leading to the breach, (c) measures implemented to mitigate risks, (d) findings on who caused the breach, (e) remedial measures implemented, and (f) report on intimations made to affected Data Principals.
The above intimation requirement is in addition to the intimations to be made to CERT-In under the Information Technology Act, 2000 and rules thereunder; and if the Data Fiduciary is a regulated entity, the intimation requirement to the respective regulator under the applicable laws. Managing these additional reporting requirements will certainly increase the compliance burden on Data Fiduciaries necessitating enhanced co-ordination and resource allocation.
5. Verifiable Consent for processing personal data of children or persons with disability [Section 9 r/w Rule 10]: Data Fiduciaries must implement measures to ensure that verifiable consent of the parent /legal guardian is obtained before processing any personal data of a child (i.e., person below the age of 18 (eighteen)) or persons with disabilities. Due diligence must be conducted to ensure that the individual identifying as the parent is an adult by using reliable identity and age details or virtual tokens mapped to such details.
However, the Draft Rules exempt certain Data Fiduciaries (such as clinical establishments, medical professionals, educational institutions, creche or day care facilities) and certain processing purposes (for creation of user account for communicating by email, for providing subsidy / benefit / service / certificate / license etc., under any law in the interest of the child, for ensuring that information likely to cause any detrimental effect on the wellbeing of a child is not accessible to her, etc.) from the purview of the above verifiable consent requirement. That said, this is not an absolute exemption and comes with certain conditions attached.
6. Data Retention [Section 8(7) r/w Rule 8]: The Draft Rules prescribe a maximum data retention period of 3 (three) years (from the date on which the Data Principal last approached the Data Fiduciary for the performance of the specified purpose or exercise of her rights or the commencement of the rules, whichever is later) for Data Fiduciaries that are e-commerce entities (with two crore or more registered users each), online gaming intermediaries (with 50 (fifty) lakh or more registered users each) or social media intermediaries (with 2 (two) crore or more registered users each). No time periods for specific use cases or associated with Data Fiduciaries outside of these classes, have been identified – which could lead to inconsistencies in interpretation. The Data Fiduciaries are required to inform the Data Principal at least 48 (forty-eight) hours before completion of the time period for erasure of personal data that their data will be deleted unless they log into their account or initiate contact with the Data Fiduciary for performance of the specified purpose or exercise their rights in relation to the processing of such data.
7. Significant Data Fiduciary ("SDF") [Section 10 r/w Rule 12]: In addition to compliance with other provisions of the Act and the Draft Rules, SDFs are required to (a) carry out an annual Data Protection Impact Assessment ("DPIA") and audit to ensure compliance with the Act and the Draft Rules; (b) furnish to the Board a report containing significant observations in the DPIA and audit; (c) observe due diligence to verify that any algorithmic software used by it to process personal data does not pose a risk to the rights of Data Principals, for e.g. if an SDF were to deploy an artificial intelligence tool on its platform, it needs to take into account this requirement; (d) undertake measures to ensure that the personal data specified by the Central Government is processed in compliance with the specific restrictions and ensure that such data and any related traffic data is not transferred outside of India.
8. Consent Manager [Section 6 (7)-(9) r/w Rule 4]: Consent managers are entities registered with the Board who enable a Data Principal, using its platform, to give, manage, review and withdraw their consent to processing of their personal data by a Data Fiduciary. The consent manager will act in a fiduciary capacity in relation to the Data Principal. However, akin to how account aggregators currently operate, the consent managers will remain blind to the personal data of the Data Principal.
The Data Fiduciaries will have to be onboarded on to the consent manager's platform in order to enable the consent management functionality to its users. The Draft Rules prescribe the qualifications, registration process and obligations of a consent manager.
9. Rights of Data Principals [Sections 11 – 14 r/w Rule 13]: Data Fiduciaries and consent managers are required to publish on their website or app (or both) the process for exercising their rights and identifiers (such as username) to be used to facilitate identification of the Data Principal. Further, Data Fiduciaries are also required to provide a timeline for responding to grievances of Data Principals and also to implement appropriate technical and organisational measures to ensure the effectiveness of the system in responding to grievances within such period. While no timeline for redressal of grievances has been prescribed, it may be assumed that any timeline so determined by Data Fiduciaries should meet the test of reasonability.
10. Cross-border data transfers [Section 16 r/w Rule 14]: Data Fiduciaries who are processing personal data within India or outside India (in connection with offering goods or services to Data Principals located in India) must comply with the requirements prescribed by the Central Government, in respect of making such personal data available to a foreign state.
11. Contact Details [Section 8(9) r/w Rule 9]: Data Fiduciaries are required to prominently display on their website or app the contact details of the person who can address queries on the processing of personal data. Further, such contact detail needs to be included in all responses to communications from Data Principals who wish to exercise their rights under the Act.
12. Board [Section 18-26 r/w Rules 16-20]: The Draft Rules prescribe the procedure for appointment of chairperson and members of the Board, their salaries, allowances, terms of service etc. The Board will function as a digital office.
13. Appellate Tribunal [Section 29 r/w Rule 21]: The Draft Rules prescribe the process for filing appeals to the Appellate Tribunal for persons dissatisfied with orders or directions of the Board. Like the Board, the Appellate Tribunal is also a digital office.
14. Processing by Government [Section 7(b) r/w Rule 5]: Government organisations may process the personal data of Data Principals to deliver subsidies, benefits, services, certificates, licenses or permits without the consent of the Data Principal. This processing should be done in a lawful manner, for the stated purpose and limited to the data necessary to achieve the said purpose. The personal data can be retained till required for achieving the purpose or for a longer period if required under any law. The Data Principal should be informed of the processing including means to access their rights.
15. Exemption for research, archiving or statistical purposes [Section 17(2)(b) r/w Rule 15]: Processing of personal data for research, archiving or statistical purposes is exempt from the purview of the Act and the rules framed thereunder provided such processing is done in accordance with the conditions specified in the Draft Rules. These conditions are the same as those applicable to processing by the Central Government, as provided in 14 above.
16. Calling for information from Data Fiduciary or Intermediary [Section 36 r/w Rule 22]: The Central Government is empowered under the Draft Rules to direct Data Fiduciaries or intermediaries to provide specific information for certain specified purposes.
While the Draft Rules effectively address most critical issues, it leaves several open issues/ inconsistencies that require further clarity. Resolving these open issues through stakeholder consultations will be essential. A few key issues are outlined below:
- Consent Manager's Role: While the Act provides the Data Principals an option to manage their consents using a consent manager, the rules remain silent on this aspect. Thus, is use of consent managers mandatory or optional? If mandatory, it might seem unnecessary for a Data Fiduciary to go through a consent manager every time, especially when they already have a direct relationship with the Data Principal.
- Cross-Border Data Transfers: The Draft Rules widen the scope of Section 16 of the Act. Under the Act, the Government was empowered to prescribe a "blacklist" of countries to which data transfers were not permitted. The Draft Rules, however, permit cross-border data transfers subject to the Data Fiduciary taking onus to ensure that it complies with any additional requirements specified by the Government while making such data accessible to a foreign state or any agency of such state. So, this means that even if data transfer is permitted to a country, the Data Fiduciary might still have to be responsible for ensuring that data is not accessible by a specific agency of such country.
- Who is an SDF?: Interestingly enough, there is still not enough clarity on which Data Fiduciaries may qualify as SDFs. Greater transparency here would help organizations better prepare for compliance.
- Breach Intimation: There is an inconsistency in the approach to breach intimations. While both the Board and the affected Data Principal must be promptly informed, the Board can be provided with more details after 72 (seventy-two) hours or such longer period as permitted by the Board. However, as regards Data Principals (where sensitivity is higher), details must be provided without delay. This inconsistency makes compliance arduous.
- Verifiable Consent: The requirement to obtain verifiable parental consent gets triggered when a user identifies as a child, or a parent/legal guardian indicates that they want to open an account for a child. This mechanism is susceptible to misrepresentation and thereby potentially defeats the objective of agegating and child data protection.
- Data Localization Obligation on SDFs: The Draft Rules make room for potential data localization of certain specified data sets by SDFs, as prescribed by the Government, which could lead to compliance conflicts. For e.g., data privacy laws in foreign jurisdictions may require disclosure or access to all data sets processed by the SDF, thereby creating conflicts with the requirements under the Act and the Draft Rules and thus, impacting the ability to conduct cross-border business. Further, this appears to be a step backward from the enabling provision under the Act which seemed to indicate the Government's intention to do away with data localisation requirement and instead only to impose restrictions on cross-border transfer of data to select countries.
- Sector-Specific Impact: The Draft Rules could significantly affect Data Fiduciaries that are regulated by sectoral regulators (such as SEBI, RBI, or IRDAI). For e.g., a Data Fiduciary in the fintech sector would need to align its data processing activities and cybersecurity infrastructure with both the provisions of the Act and the rules framed thereunder, as well as with the relevant sectoral regulations issued by the respective regulators. Adhering to additional compliance requirements could prove challenging and may further complicate the overall compliance process.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.