Our Terms & Conditions | Our Privacy Policy
On January 3, the Ministry of Electronics and Information Technology (MeitY) released the draft rules for the Digital Personal Data Protection Act, under which Data Fiduciaries must provide clear consent notices to individuals, detailing the data they collect and the purposes for processing it.
Moreover, Significant Data Fiduciaries (SDFs) handling personal data face stricter obligations.
The public consultation for the rules will close on February 18, 2025, and comments can be emailed here.
Fines under the Act
Under the Act, if companies fail to meet these obligations, they could face fines ranging from Rs 50 crores to Rs 250 crores, based on the seriousness and extent of the non-compliance.
The rules require Data Fiduciaries to provide a notice to individuals before or at the time of requesting consent. This notice should inform the individual about the personal data the Data Fiduciaries collects, the purpose for processing it, how to exercise their rights and the procedure for filing a complaint with the Data Protection Board.
What Should the Notice Issued by Data Fiduciaries to Individuals Include?
The notice issued by Data Fiduciaries to an individual must be clear, self-contained, and easily understandable, without relying on any additional information provided by the Data Fiduciary. It should use simple language to ensure the individual has a comprehensive and transparent understanding of the information required to provide informed consent for processing their personal data.
Under the DPDP Act, the user must provide a “freely given, specific, informed and unambiguous indication” of their consent. The Act also requires Data Fiduciaries to process a user’s personal data only for a lawful purpose that the user has given consent to or for “legitimate uses.” We have separately covered what qualifies as “legitimate uses” here.
Data processing is legitimate unless the individual explicitly objects, unlike regular consent, which requires active permission.
Importance of Purpose Limitation
Moreover, the notice must specifically include an itemized list of the personal data collected, a clear explanation of the purpose for processing, and a detailed account of the goods, services, or uses that the processing enables.
It should also provide a link to the Data Fiduciaries’ website or app, along with details of any alternative methods for the individual to withdraw consent with the same ease as granting it, exercise their rights, and lodge complaints with the Board.
Previously, at a MediaNama discussion, a participant had stressed the importance of purpose limitation asserting, “It shouldn’t be that once it’s [consent for processing personal data] out the door, anyone anywhere can do whatever they want with it because effectively, that’s the difference between it being my data, and the data of the organization that collects it from me for serving a purpose of which I’m allowing it to do.”
How Should Data Fiduciaries Ensure the Security of Personal Data?
A Data Fiduciary must safeguard personal data in its possession or control, including data processed by its Data Processors (any person/entity who processes personal data on behalf of a Data Fiduciary), by implementing ‘reasonable’ security measures to prevent breaches.
- These measures must include securing personal data through techniques such as encryption, obfuscation, masking, or using virtual tokens linked to the data.
- Access to computer systems used by the Data Fiduciary or Data Processor must be controlled, and visibility of data access should be ensured through logs, monitoring, and reviews to detect unauthorized access, its investigation and remediation to prevent recurrence.
- Additionally, measures must be in place to ensure the continued processing of data even if its confidentiality, integrity, or availability is compromised, such as through data backups.
- Logs and personal data must be retained for at least one year to facilitate breach detection, investigation, and prevention unless other legal obligations require otherwise.
- Contracts with Data Processors must include provisions mandating the implementation of reasonable security measures, and appropriate technical and organizational measures must be adopted to ensure effective enforcement of these safeguards.
What is the Data Fiduciaries’ Process for Intimating a Personal Data Breach?
If a Data Fiduciary becomes aware of a personal data breach, it must promptly inform each affected individual in a clear, concise, and understandable manner, using the person’s registered communication method or user account.
Previous versions before 2023 did not require Data Fiduciaries to notify data principals in the event of a breach.
Also Read: State surveillance, reduced obligations, and eight other issues with the 2022 Data Protection Bill: IFF
The notice must detail the breach’s nature, extent, timing, location, consequences, mitigation steps, safety measures, and contact information. The Data Fiduciary must also promptly inform the Board, updating within 72 hours (or as permitted) on breach details, causes, mitigation actions, prevention measures, and notifications sent to affected individuals. Find the detailed report on the intimation of personal data breaches here.
What are the obligations of Significant Data Fiduciaries (SDFs)?
According to the DPDP Act 2023, the Central Government can classify certain Data Fiduciaries or groups of them as ‘Significant Data Fiduciaries.’ This decision is based on factors such as the amount and sensitivity of personal data they handle, potential risks to individuals’ rights, impacts on India’s sovereignty and security, risks to electoral democracy, security of the State and concerns about public order. An SDF is a subset of Data Fiduciaries and has stricter obligations under the Rules, as listed below.
Advertisements
Obligations under the rules
- An SDF must ensure that it processes personal data, as specified by the Central Government based on committee recommendations, with the restriction that the personal data and the traffic data pertaining to its flow do not transfer outside India.
- An SDF must carefully verify that any algorithmic software used for hosting, display, uploading, modification, publishing, transmission, storage, updating or sharing of personal data does not harm the rights of individuals.
- An SDF must conduct a Data Protection Impact Assessment and an audit every twelve months from its designation or inclusion in the notified class of Data Fiduciaries to ensure compliance with the Act and its rules.
- An SDF must ensure that the individual conducting the assessment and audit provides the Board with a report containing key findings.
Under the DPDP Act, SDFs must appoint a Data Protection Officer based in India to act as their representative under the Act, report to its governing body, and handle grievance redressal. They must also hire an independent data auditor to review compliance. Breach of provisions of the Act or rules by an SDF can result in penalties of up to Rs. 150 crore.
When Can Data Fiduciaries Retain Data and When Must They Erase It?
If a Data Fiduciary processes personal data for purposes listed in the Third Schedule (explained below) and the Data Principal (individual to whom personal data relates) does not interact/contact with them within a set timeframe, the data must be deleted unless legally legal reasons require data retention.
Before erasure, Data Fiduciaries must inform the individual at least 48 hours in advance, alerting them that the system will erase their data unless the individual logs into their user account or contacts the Data Fiduciary to initiate the specified purpose or exercise their rights regarding the data.
The Third Schedule mandates certain Data Fiduciaries, like e-commerce, online gaming, and social media platforms with specified user thresholds, to retain personal data for three years from the last user interaction or the start of the Digital Personal Data Protection Rules, 2025.
However, this retention period does not apply if the data is needed solely for enabling the individual access to their user account or any virtual tokens that are issued by or on behalf of the entities that can be used for money, goods, or services. In these cases, the data can be kept for as long as necessary for these specific purposes.
How Should a Data Fiduciary Provide Contact Information for Data Queries?
Every Data Fiduciary must clearly display the contact information of the Data Protection Officer (if applicable) or another person who can answer questions about how the Data Fiduciary processes personal data. This contact information should be visible on their website or app and included in any response to an individual’s request to exercise their rights under the Act.
Moreover, every Data Fiduciary must display on its website or app the time frame for addressing grievances from individuals.
How Must Data Fiduciaries Obtain Verifiable Consent for Processing a Child’s Data?
A Data Fiduciary must ensure verifiable parental consent before processing a child’s data, confirming the parent’s identity and age using reliable information or trusted sources like government IDs or Digital Locker tokens. However, certain Data Fiduciaries may process children’s data without verifiable consent, as allowed by specific rules.
You can find a detailed report on verifiable consent for processing the personal data of a child or a person with a disability with a legal guardian here.
What Are the Rules for Transferring Personal Data Outside India?
Data Fiduciaries processing data within India or in connection with offering goods or services to individuals from outside India must comply with any requirements the Central Government, by general or special order, sets in respect of making such personal data available to a foreign State or its entities.
When Can the Government Request Information from Data Fiduciaries?
The Central Government can ask a Data Fiduciary or intermediary to provide information for purposes outlined below (as per the Seventh Schedule of the Rules). The government will specify the time frame for providing this information.
If disclosing the information could harm India’s sovereignty, integrity, or security, the Data Fiduciary or intermediary must obtain written permission from the authorized person before disclosing it.
The Seventh Schedule allows the government to use personal data for India’s sovereignty, integrity, or national security, with a designated officer overseeing this. It also permits data use or disclosure to fulfil legal obligations under Indian law, managed by an authorized person. Moreover, it empowers the government to designate SDFs based on data-handling roles, assessed by a MeitY officer.
Read more
Support our journalism:
For You
Images are for reference only.Images and contents gathered automatic from google or 3rd party sources.All rights on the images and contents are with their legal original owners.
Aggregated From –
Comments are closed.