The industry and its stakeholders should be feeling a sense of déjà vu with the draft DPDP rules for consultation, given its various prior versions. 

As expected, the implementation of the Rules would initially be only for administrative matters concerning the appointment of the chairperson and other members, salary, allowances and other terms and conditions of service of the chairperson and other members, procedure for meetings of the Board, etc. The other substantive Rules for compliance will be effective from a later date that is yet to be specified.

Verifiable Consent 

Consent provisions have been included to ensure verifiable consent of the parent or lawful guardian for processing the personal data of a child or any person with a disability. While the rules are not prescriptive, the provisions require the Data Fiduciary to adopt ‘appropriate technical and organisational measures’, and ‘observe due diligence’.

Exceptions have been made to include clinical establishments, healthcare professionals and educational institutions, subject to compliance with the conditions prescribed. Stakeholders can now examine and plan to put in place mechanisms to meet the criteria.

Data Audit 

Significant data fiduciaries are required to undertake a data protection impact assessment and audit, every 12 months, to ensure effective observance of the Act and Rules. The report of such assessment/ audit is to be submitted to the Board. Evidently, this is a key provision to ensure that necessary steps are taken and verified regularly, along with continuing compliance. 

Notice by Data Fiduciary 

Notice to Data Principals is required to include an itemised description of the personal data required and the specified purpose as well as a description of goods and services to be provided. The notice shall also contain a link to enable withdrawal of consent with ease (comparable to that when consent was given), exercise rights under the Act, and make a complaint to the Board. 

This is indeed a welcome change stipulating that withdrawal of consent should be as easy as giving consent, perhaps to avoid a situation where providing consent is easy, but withdrawal remains complex. 

Reasonable Security Safeguards 

To prevent a personal data breach, the Data Fiduciary must protect personal data by taking reasonable security safeguards. Certain minimum safeguards prescribed include using encryption, obfuscation, masking, use of virtual tokens, ensuring visibility on access through appropriate logs, data backups and retaining logs and personal data for a specified period. 

While a detailed specification of the requirement may have been expected for ease of reference and compliance, a less prescriptive set of rules does allow the industry and stakeholders to evaluate and put in place reasonable security safeguards, concerning several factors that are specifically applicable to them. The intent seems to be that of a hands-off approach rather than hand-holding, perhaps to avoid merely having a check-the-box situation for compliance, as well as a one-size-fits-all approach.

Consent Manager

A consent manager enables a Data Principal using its platform to give consent to the processing of her personal data and other actions concerning the same.

Qualifying criteria have been prescribed for a consent manager, which includes financial condition, general character, technical/operational capacity and net worth. Obligations cast upon the consent manager include acting in a fiduciary capacity, avoiding conflict of interest with Data Fiduciaries, ensuring that the data content is not readable by it, no sub-contracting or assignment of obligations, maintenance of record of consents given, denied or withdrawn, maintenance of a website/app for accessing the services provided and transparent disclosure of details, including key shareholding as well as KMPs.

Breach Reporting

On becoming aware of a breach, the Data Fiduciary should inform the Data Principal in a clear, concise and plain manner. The reporting should describe the breach, the consequence of the breach, measures being implemented to mitigate risk, safety measures that the Data Principal may take to protect her interest, as well as contact information of the representative of the Data Fiduciary who can respond to queries. Reporting a breach to the Board is also required to be done within 72 hours unless a longer period is allowed. The report to the Board must include the intimations given to the Data Principals.

Data Erasure

The Data Fiduciary will erase the personal data of a Data Principal if, within a specified period, the latter does not approach the Data Fiduciary for performance of any purpose or does not exercise any rights for processing personal data. The rules require that 48 hours before the erasure, the Data Fiduciary will inform the Data Principal of the same to ascertain the way forward with the erasure. 

Right to Call for Information and Possible Data Localisation 

The draft rules include an omnibus provision that the Central Government may require any Data Fiduciary or intermediary to furnish information where the same is required inter alia in the interest of sovereignty and integrity of India, or security of the State, or carrying out any assessment for notifying a significant data fiduciary or a class of data fiduciaries. The draft rules also stipulate that a significant data fiduciary shall undertake measures to ensure that any specified personal data is processed subject to the restriction that such personal data, plus the traffic data about its flow, is not transferred outside the borders of India. 

These rules seem to be broad in scope, including the authorities directing the localisation of specified personal data, and are likely to cause some anxiety. While the draft rules may undergo some tweaks after feedback, we may finally see the light of a comprehensive law on the subject in 2025.

—The author, Raj Ramachandran, is Partner, JSA Advocates & Solicitors. The views are personal. 

The industry and its stakeholders should be feeling a sense of déjà vu with the draft DPDP rules for consultation, given its various prior versions. 

As expected, the implementation of the Rules would initially be only for administrative matters concerning the appointment of the chairperson and other members, salary, allowances and other terms and conditions of service of the chairperson and other members, procedure for meetings of the Board, etc. The other substantive Rules for compliance will be effective from a later date that is yet to be specified.

Verifiable Consent 

Consent provisions have been included to ensure verifiable consent of the parent or lawful guardian for processing the personal data of a child or any person with a disability. While the rules are not prescriptive, the provisions require the Data Fiduciary to adopt ‘appropriate technical and organisational measures’, and ‘observe due diligence’.

Exceptions have been made to include clinical establishments, healthcare professionals and educational institutions, subject to compliance with the conditions prescribed. Stakeholders can now examine and plan to put in place mechanisms to meet the criteria.

Data Audit 

Significant data fiduciaries are required to undertake a data protection impact assessment and audit, every 12 months, to ensure effective observance of the Act and Rules. The report of such assessment/ audit is to be submitted to the Board. Evidently, this is a key provision to ensure that necessary steps are taken and verified regularly, along with continuing compliance. 

Notice by Data Fiduciary 

Notice to Data Principals is required to include an itemised description of the personal data required and the specified purpose as well as a description of goods and services to be provided. The notice shall also contain a link to enable withdrawal of consent with ease (comparable to that when consent was given), exercise rights under the Act, and make a complaint to the Board. 

This is indeed a welcome change stipulating that withdrawal of consent should be as easy as giving consent, perhaps to avoid a situation where providing consent is easy, but withdrawal remains complex. 

Reasonable Security Safeguards 

To prevent a personal data breach, the Data Fiduciary must protect personal data by taking reasonable security safeguards. Certain minimum safeguards prescribed include using encryption, obfuscation, masking, use of virtual tokens, ensuring visibility on access through appropriate logs, data backups and retaining logs and personal data for a specified period. 

While a detailed specification of the requirement may have been expected for ease of reference and compliance, a less prescriptive set of rules does allow the industry and stakeholders to evaluate and put in place reasonable security safeguards, concerning several factors that are specifically applicable to them. The intent seems to be that of a hands-off approach rather than hand-holding, perhaps to avoid merely having a check-the-box situation for compliance, as well as a one-size-fits-all approach.

Consent Manager

A consent manager enables a Data Principal using its platform to give consent to the processing of her personal data and other actions concerning the same.

Qualifying criteria have been prescribed for a consent manager, which includes financial condition, general character, technical/operational capacity and net worth. Obligations cast upon the consent manager include acting in a fiduciary capacity, avoiding conflict of interest with Data Fiduciaries, ensuring that the data content is not readable by it, no sub-contracting or assignment of obligations, maintenance of record of consents given, denied or withdrawn, maintenance of a website/app for accessing the services provided and transparent disclosure of details, including key shareholding as well as KMPs.

Breach Reporting

On becoming aware of a breach, the Data Fiduciary should inform the Data Principal in a clear, concise and plain manner. The reporting should describe the breach, the consequence of the breach, measures being implemented to mitigate risk, safety measures that the Data Principal may take to protect her interest, as well as contact information of the representative of the Data Fiduciary who can respond to queries. Reporting a breach to the Board is also required to be done within 72 hours unless a longer period is allowed. The report to the Board must include the intimations given to the Data Principals.

Data Erasure

The Data Fiduciary will erase the personal data of a Data Principal if, within a specified period, the latter does not approach the Data Fiduciary for performance of any purpose or does not exercise any rights for processing personal data. The rules require that 48 hours before the erasure, the Data Fiduciary will inform the Data Principal of the same to ascertain the way forward with the erasure. 

Right to Call for Information and Possible Data Localisation 

The draft rules include an omnibus provision that the Central Government may require any Data Fiduciary or intermediary to furnish information where the same is required inter alia in the interest of sovereignty and integrity of India, or security of the State, or carrying out any assessment for notifying a significant data fiduciary or a class of data fiduciaries. The draft rules also stipulate that a significant data fiduciary shall undertake measures to ensure that any specified personal data is processed subject to the restriction that such personal data, plus the traffic data about its flow, is not transferred outside the borders of India. 

These rules seem to be broad in scope, including the authorities directing the localisation of specified personal data, and are likely to cause some anxiety. While the draft rules may undergo some tweaks after feedback, we may finally see the light of a comprehensive law on the subject in 2025.

—The author, Raj Ramachandran, is Partner, JSA Advocates & Solicitors. The views are personal.