India releases new draft rules for Digital Personal Data Protection Act for public consultation
On January 3, 2025, the Ministry of Electronics and Information Technology (MeitY) published the new draft rules under the Digital Personal Data Protection Act (DPDPA.) The proposed rules, available for public comment until February 18, 2025, were proposed to effectuate the Act, which was adopted in 2023.
Among the key provisions of the proposed rules are provisions to clarify the administrative details of the Act and functionality of the Data Protection Board of India, obligations of covered entities, requirements surrounding consent, provision of individual rights, conditions for cross-border data transfers, obligations for the processing of children’s data and individuals with disabilities, retention periods for personal data, exemptions to the Act, and enforcement mechanisms.
-
Consent and Data Fiduciary Obligations
With regard to consent and Data Fiduciary obligations, the draft rules provide that Data Fiduciaries, which, similar to a controller under the European Union’s General Data Protection Regulation, refers to “any person who alone or in conjunction with other persons determines the purpose and means of processing of personal data,” must provide Data Principals with notice of processing activities, including itemized descriptions of the personal data processed and the goods or services provided through the processing of the data. This notice highlights the Act’s focus on informed consent, empowering the data principle through clear language, to determine whether to withdraw their consent or exercise their rights under the Act. To further this focus on consent and notice, the draft rules clarify the requirement of the registration of a Consent Manager and the obligations related to that Consent Manager. A Consent Manager, as defined by the Act, refers to “a person registered with the Board, who acts as a single point of contact to enable a Data Principal to give, manage, review and withdraw her consent through an accessible, transparent and interoperable platform.” The draft rules, additionally, clarify the Board’s role in reviewing and approving the registration of the Consent Managers, conditions of registration of Consent Managers, and Consent Manager obligations.
The draft rules clearly define the obligations of Data Fiduciaries, including implementing reasonable and appropriate security safeguards, ensuring the existence of contractual obligations for security safeguards of Data Processors, notifying Data Principals in the event of a personal data breach in a concise, clear and plain manner and without unreasonable delay through the Data Principal’s user account or any mode of communication registered with the Data Fiduciary, and notifying the Board in the event of a personal data breach without delay and within 72 hours of discovering the breach. Further, the rules specify that every Data Fiduciary is required to appoint a contact person to address Data Principal inquires into the processing of personal data.
Finally, the rules offer insight into the additional obligations of Significant Data Fiduciaries, including requirements surrounding algorithmic software deployment, personal data oversight, and annual Data Protection Impact Assessment (DPIA) and audit mandates.
-
Data Retention
The draft rules, additionally, offer clarity on data retention, providing that a Data Fiduciary must erase personal data, “unless its retention is necessary for compliance with any law for the time being in force,” if, for the corresponding time period, the Data Principal “neither approaches such Data Fiduciary for the performance of the specified purpose nor exercises her rights in relation to such processing.” The provision also states that the Data Fiduciary must, at least 48 hours before completion, notify the Data Principal that their personal data will be erased unless the Data Principal indicates otherwise.
-
Processing of Personal Data of a Child or Individual with a Disability
Notably, the rules mandate verifiable consent prior to the processing of personal data of a child or person with a disability who is under the care of a legal guardian. Specifically, the rules place the onus on the Data Fiduciary to verify the identify of any individual claiming to be the parent or guardian of a child or individual with a disability by referencing “reliable details of identity and age available with the Data Fiduciary” or “voluntarily provided details of identity and age or a virtual token mapped to the same” content, which is “issued by an entity entrusted by law or the Central Government or a State Government.” The Data Fiduciary is expected to exercise due diligence in verifying that an individual claiming to be a legal guardian is, in fact, appointed by a court of law or other designated authority or local committee.
-
Rights of Data Principals
The DPDPA provides that Data Principals shall have the following rights: the right of access, right of correction, right of erasure, right of grievance redressal, and the right to nominate another individual to exercise rights in the event of death or incapacity. The draft rules compliment the individual rights laid out in the DPDPA by requiring the publication by a Data Fiduciary or Consent Manager on their website or app specific information about the existence of rights and how Data Principals may exercise those rights, conditions under which the Data Principal may exercise specific rights.
As various countries continue to implement comprehensive privacy legislation, the obligations for entities processing personal data increase in complexity. For assistance in determining and ensuring compliance with potential obligations, please contact a member of McDonald Hopkins' national data privacy and cybersecurity practice group.
