The Ministry of Electronics and Information Technology on Friday released draft rules under the Digital Personal Data Protection Act, 2023, and sought public comments till Feb. 18.
The draft rules deal with the provisions for personal data breach, protecting children’s data, the consent manager framework, and the setting up of a data protection board.
While the draft rules provide extensive guidance on several issues, they provide less detailed guidance on thorny issues like the manner of notice, reasonable security standards, contracting with processors, and breach notification, as per Arun Prabhu, Partner (Head of Technology) at Cyril Amarchand Mangaldas.
Personal Data Breach
The rules provide that if a breach in an individual’s personal data occurs, the data fiduciary, such as a social media entity, financial institution, or website, must inform the affected person. The details of the breach, along with its nature, timing, and location, must also be shared.
The individual must be apprised of information about the consequences of the breach and the safety measures that can be implemented.
They must also notify the Data Protection Board with detailed updates within 72 hours, including mitigation steps and measures to prevent recurrence.
Protecting Children Data
One of the major reforms in the rules is about protecting the data of children online. When personal data of a child or a person with a disability is collected, the organisation must get permission from the parent or legal guardian before processing it.
The organisation must verify that the person giving consent is indeed the parent or guardian and is an adult. This process ensures that children’s data is handled responsibly and that appropriate consent is obtained before processing their information.
How Long Can Your Data Be Kept?
There are rules about how long personal data can be kept. If an organisation has personal data for a specific purpose and no one uses it within a set period, the data should be erased.
This helps to ensure that data is not kept unnecessarily and is only used for its intended purpose.
Before erasing the data, the organisation must notify the person to whom it belongs, as per the proposed rules.
Handling Of Personal Data
When any organisation collects and handles personal data, it must take reasonable steps to protect it. This means using security methods like encryption, controlling who can access the data, and monitoring activity to prevent unauthorised access.
The organisation must also have measures in place to recover the data if it’s lost or damaged and ensure that security is part of any contracts with third parties involved in processing the data.
Can Government Use Your Data?
As per the proposed rules, the government and its agencies can use personal data to provide services like subsidies, benefits, certificates, licenses, or permits.
Expert Opinions
These measures showcase a balanced approach toward fostering innovation while addressing privacy concerns and advancing India’s objective of establishing a sovereign and secure data economy, as per Anandaday Misshra, Founder & Managing Partner, AMLEGALS.
The rules also introduce complex compliance requirements, such as stringent consent manager registration norms and extensive disclosure obligations, which may disproportionately impact smaller enterprises, as per Rashmi Deshpande, founder, Fountainhead Legal.
Additionally, while the provisions for international data transfers and state exemptions are significant, they necessitate greater clarity to prevent potential misuse and ensure uniform application, she said.
The rules also prescribe algorithmic assessments for significant data fiduciaries reflecting an alignment with the AI-driven future, as per Ankit Sahni, partner, Ajay Sahni & Associates.
However, Prabhu from Cyril Amarchand Mangaldas mentioned that potential restrictions on the use of “algorithmic software” by SDFs and the timelines for implementation are far less clear and may be ironed out during the consultation process for which a 45-day time period has been provided in relation to rules. NDTV Profit