India's DPDP rules: Shaping future of personal data privacy in digital era

Don't want to miss the best from Business Standard?

India's DPDP rules have set a framework for a more accountable digital economy through clear consent standards, data safeguards, with the goal to arm individuals with greater control over their personal data in the world's fourth largest economy.

Here is what it means for businesses and individuals:  First things first. These subordinate rules to the principal legislation -- Digital Personal Data Protection Act -- spell out operational norms for entities in collection and handling of personal data, and protects the rights of individuals.

In simple terms, 'data fiduciaries' refer to entities that decide the purpose and means of processing of individual's data while 'data principals' are individuals or users (of a particular service) to whom personal data belongs.

Consent notice to individuals: Companies must give clear, plain-language notice seeking informed consent with itemised data description, processing purpose, complaint mechanisms, and easy consent withdrawal process where ease of withdrawal is comparable to the ease with which such consent was given.

Obligations of consent manager: Under DPDP legislation and rules, the 'consent manager' enables individuals to give, manage, or withdraw consent for processing their personal data by any authorised organisation on the platform.

The latest rules spell out the criteria and registration process for such consent managers, their duties, and conditions for suspension or cancellation by the Data Protection Board, in the interests of individuals.

Reasonable security safeguards: Organisations must implement encryption, access control, monitoring, logging, backup, contractual safeguards to protect data, prevent data breaches and ensure data security.

In the event of personal data breach, companies must promptly inform affected individuals in clear terms about the details, potential consequences, mitigation efforts, recommended safety actions, and provide contact information for any queries.

In addition, companies must immediately notify the Data Protection Board with initial breach details, and then within 72 hours provide an updated comprehensive report detailing causes, impact, mitigation, any finding about perpetrators, and the remedial measures to prevent recurrence of such incidents.

Experts say companies will need to implement appropriate data security safeguards across all systems handling Indian personal data.

"Coupled with steep penalties of up to Rs 200,00,00,000 (Rs 200 crore) for reporting failures and the stringent 'without delay' notification requirement, organisations will likely need to operationalise a round-the-clock, India-aligned incident response function and incorporate strong, protective indemnity clauses in their Data Processor contracts to mitigate liability exposure," according to JSA Advocates and Solicitors.

Erasure notifications and data retention: E-commerce entities (minimum 2 crore users in India), online gaming companies (minimum 50 lakh users in India), and large social media platforms (minimum 2 crore users in India) will be required to erase personal data after three years of user inactivity or dormancy, except in two cases specified in rules or where retention is mandated by law.

Companies must notify the users at least 48 hours before personal data erasure, alerting them about deletion of data unless the user logs in, contacts the firm, or exercises their rights regarding the data.

Irrespective of the category, companies will have to retain personal data and associated logs for a minimum period of one year from the date of data processing.

Guardianship consent and child data protection: Verified parental consent would be needed for processing child data. Companies will have to ensure the parent is an identifiable adult (18 years or above) through reliable identity or authorised digital tokens before processing the child's personal data.

Certain healthcare, educational entities and specific child-safe processing purposes have been exempt from some data protection obligations under specified conditions. The rules also spell out guardian consent norms for processing data of a person with disability.

Significant data fiduciary audits: The rules require significant data fiduciary to annually conduct a data protection impact assessment and audit, and report findings to the data protection board; it is required to ensure their technical measures don't risk data principals' rights.

Such large scale digital platforms must exercise due diligence to verify that technical measures, including algorithmic software used for processing, do not pose a risk to the individual's rights.

These data collectors must also undertake measures to ensure that certain personal data, those specified by the government, is not transferred outside the territory of India. This potential restriction will be based on the recommendation of a committee constituted by the central government, which will include officials from the Ministry of Electronics and IT and may include officials from other ministries or department of the central government.

While the impact assessment concept mirrors elements of the General Data Protection Regulation under European laws, the significant data fiduciary (SDF) designation introduces a far more intensive, India-specific compliance burden, says JSA Advocates and Solicitors.

Once classified as an SDF, an organisation needs to operationalise annual assessments and audits, implement ongoing algorithmic risk assessments, and prepare for the possibility of strict data-localisation obligations for categories of personal data that may be notified by the government.

"At the moment, there is no clarity on what additional localisation obligations will be imposed. Notably, sectoral localisation obligations, such as payments data localisation, continue to apply," JSA said.

Cross-border data transfer: The DPDP framework permits transfer of personal data outside India, subject to central government restrictions via notifications specifying limitations for sharing data with any foreign state or entities under their control.

India's DPDP framework, where cross-border transfers are permitted unless a country or entity is specifically restricted, offers far greater operational flexibility than the GDPR's adequacy and standard contractual clauses-based framework, says JSA advocates and solicitors.

"For businesses, this could mean faster and lower-cost international data flows, with fewer contractual and assessment burdens, except in situations where additional localisation obligations are applicable to the data or entity in consideration," it added.

Transition time: The DPDP rules come into effect through a staggered timeline, allowing 18 months for companies processing personal data to shift to the new regime. The provisions around Data Protection Board, which will be responsible for overseeing enforcement and implementation of the DPDP Act and its rules, including handling complaints, conducting inquiries, and ensuring compliance with data protection obligations -- come into force immediately; while the consent manager framework activates after 12 months, and compliance obligations like user consent notices, security safeguards, data rights, and breach notifications apply after 18 months.

This gradual rollout provides companies necessary time to align with new requirements, say experts.