The Ministry of Electronics and Information Technology has released draft Digital Personal Data Protection Rules for public consultation. These rules are a significant step towards operationalizing India’s personal data protection regime. The rules set stringent requirements for processing personal data.
.@GoI_MeitY has released the long awaited DPDP Rules 16 & a half months after the DPDP Act, 2024 was enacted.
We are dismayed that after such a long wait the Rules have failed to rise to the occasion & meet our expectations. 🧵1/9https://t.co/Iu1n2WwGmQ
— Internet Freedom Foundation (IFF) (@internetfreedom) January 4, 2025
Service providers must clearly specify what data is being collected and immediately alert users in case of a breach. For data breaches, fiduciaries must inform both the Data Protection Board (DPB) and affected users without delay. Detailed reports are required within 72 hours.
New: Verifiable parental consent as proposed in the draft DPDP Rules relies on 2 assumptions:
1. Children voluntarily declaring they’re underage
Edited by @VinayakD
Shorter story in today’s paper:
Link to detailed story (use reader mode due to ads): https://t.co/gFy6SJZzyg pic.twitter.com/FUXXq6n0Ck
— Aditi Agrawal (@Aditi_muses) January 5, 2025
Every data fiduciary must give notice to a user before seeking consent. The notice should detail the personal data to be processed, the purpose, and the services provided through such processing.
New: Key points from the draft Digital Personal Data Protection Rules. Some expected things, some new things, some scary things (data localisation, Section 36+Rule22). https://t.co/zVxgXGMlyY
— Aditi Agrawal (@Aditi_muses) January 3, 2025
Significant data fiduciaries must publish contact details of their Data Protection Officers or other relevant persons to address user queries.
The rules introduce strict requirements for processing children’s data. Verifiable consent from parents or guardians is required before handling users’ personal information under 18 years. Exemptions are included for healthcare providers, educational institutions, childcare centers, and school transport services.
Nikhil Narendran, partner at Trilegal, noted that the children’s data provisions are similar to the Australian law that led to banning social media for children under 16.
Stricter rules for children’s data
Large technology platforms can be notified as “Significant Data Fiduciaries” by the central government based on various factors.
The draft rules propose that the government can define the data type that must be localized within India’s borders. Under Section 36 of the Act, the government can demand information from the DPB, a data fiduciary, or an intermediary. They are prohibited from disclosing such demands.
The rules set out three purposes for data use: national security, lawful functions, and classifying data fiduciaries. The DPDP Act only applies to data processed digitally, but if data is scanned and stored in a computer, it falls under the Act. The draft rules detail the formation of two search-cum-selection committees to select DPB officials and outline the DPB’s operational procedures.
Consent managers must be Indian companies with a minimum net worth of 2 crore and must maintain consent records for at least seven years without outsourcing their services. Aprajita Rana, partner at AZB & Partners, commented that the rules for consent managers are stringent, making it challenging for Big Tech to develop consent managers. For government access to data, state instrumentalities can process personal data without fresh consent for providing subsidies, benefits, services, licenses, or permits.
They only need to inform users about such processing. The draft rules are particularly significant for social media and gaming platforms, expanding the definition of a ‘social media intermediary’ to include broader categories of intermediaries. The public can submit comments on the draft rules through the MyGov portal until February 18.
