Data governance: India's DPDP rules will offer individuals protection

The notification of the Digital Personal Data Protection (DPDP) Rules last week gives the DPDP Act operational clarity in defining how consent is to be taken, breaches reported, minors’ data protected, and on how cross-border data flows. Entities guilty of breaches could face penalties of up to ~250 crore. There is an 18-month runway to full compliance by May 2027. The framework offers privacy-by-design, minimises data retention, and enforces accountability in line with constitutional protections for digital personal data (DPD). 

The Right to Information Act, 2005, has required amendment to align itself with the DPDP Act. Expectedly, the amendment attracted criticism for removing the obligation of government bodies to provide personal information if the public interest outweighs the right to privacy for public officials. The new Data Protection Board of India, appointed by the Union government, will oversee the space, with virtual hearings, digital filings, electronic orders, and digital evidence management. The rules designate companies processing large volumes of data, or operating in sensitive sectors, as “significant data fiduciaries”, facing higher compliance requirements. This is similar to the European Union model of tiered oversight. A governance framework is laid out for consent managers — intermediaries helping users to manage permissions, while ideally helping to ease frictions of consent and compliance. Consent managers must meet strict qualification conditions like barring individuals with moral turpitude, capital adequacy, the interoperability between platforms, security, and transparency. It remains to be seen how well this innovation works. 

The rules as a whole offer individuals more protection and greater knowledge about who is collecting and holding data, and also some control over personal data. Platforms must now provide collection notices that are “clear, standalone, and free of unrelated or bundled content”. The notice must specify what data is collected, and why, and how users can withdraw consent. Withdrawing consent must be made as easy as giving it. The rules also place emphasis on safeguarding minors’ data. Platforms must verify their age and seek consent from guardians. In practice, these requirements will impact many apps. Consequently, global platforms with Indian users may need to review processes of local consent to comply. 

Emphasis on protecting minors clearly affects edtech platforms, gaming companies, social-media applications, and over-the-top platforms with many under-18 users. Similar protection is extended to persons with disabilities, where permission and verification may be done through court-appointed guardians or certified institutions. Breach notifications are immediate and mandatory. If data breaches occur, companies must notify affected users without delay and also provide the Data Protection Board detailed reports including the chronology, data types, risks, and mitigation steps taken. Data fiduciaries and processors must incorporate risk assessments, encryption, logs of access, security reviews, and disposal protocols. All personal processing logs must be retained for a minimum of one year even if the user withdraws consent. Most DPD may be transferred to any country except nations that are specifically restricted. But data related to national security, critical infrastructure, or high-risk sectors may require mandatory local storage. This is a more flexible cross-border protocol than earlier attempts to force total data localisation. In sum, the rules offer individuals a degree of greater protection but exemption for the government can increase risk.