More Stories

Informist, Friday, Jan. 3, 2025

 

NEW DELHI – The government on Friday released draft rules for the Digital Personal Data Protection Act, 2023, which sought to protect digital data of people and for which comments were sought from all stakeholders by Feb. 18. According to the rules, a data fiduciary should protect personal data in its possession or under its control by taking reasonable security safeguards to prevent personal data breach.

 

The Act states that a data fiduciary is any person who, alone or in conjunction with other persons, determines the purpose and means of processing of personal data. For data protection, the data fiduciary should take appropriate security measures, including securing such personal data through its encryption. 

 

If the data fiduciary becomes aware of any personal data breach, it should intimate each affected data principal in a clear and concise manner, without any delay, through the latter’s user account or any mode of communication registered. The data fiduciary should give a description of the breach, including its nature, extent and timing, and location of its occurrence.

 

In addition, the data fiduciary within 72 hours of becoming aware of any personal data breach shall intimate the same to the Data Protection Board of India. In its intimidation to the board, the data fiduciary should specify the reasoning for the breach, findings regarding the person who caused the breach and measures proposed to mitigate risk.

 

In a significant move, the rules state that the data fiduciary, who is processing personal data for its corresponding purposes, shall erase the data, unless its retention is necessary for compliance with any law. The rules said that timelines for data fiduciaries such as e-commerce entities having not less than 20 million users in India, online gaming intermediaries having not less than 5 million registered users in India and social media intermediaries having not less than 20 million users in India are three years to keep the data. The data fiduciary shall inform the data principal 48 hours before the erasure of data that the same shall be erased unless the latter logs into its user account or initiates contact with the former.

 

The rules have mandated every data fiduciary to "prominently" publish on its website or application, business contact information of the data protection officer in its every response to communication regarding the right of data principle. 

 

Further, the data fiduciary shall adopt appropriate technical and organisational measures to ensure that verifiable consent of a child's parent is taken before processing the child's personal data. The data fiduciary shall observe due diligence for checking that the individual identifying herself as the parent is an adult who is identifiable if required in connection with compliance with any law for the time being in force in India, the rules said.

 

Adding additional obligations, the rules ask a significant data fiduciary, once in every 12 months from the date it was notified, to undertake a data protection impact assessment and an audit to ensure effective observance of the Provisions of the Act and their rules. The significant data fiduciary shall take measures to ensure that personal data specified by the Centre on the basis of its constituted panel is processed subject to restriction that the personal data and traffic data pertaining to its flow are not transferred outside India.

 

The rules have also highlighted some rights of data principles. The data fiduciary, and where applicable, the consent manager, shall publish on their website the details of means through which a data principal can make a request for exercising their rights. For accessing information about personal data and its erasure, the data principal may make a request to the data fiduciary to whom she had previously given its consent. Further, the data fiduciary and consent manager shall publish the period under its grievance redressal system for responding to grievances of data principals.

 

Regarding transfer to any other country of personal data processes by data fiduciary, the same was subject to the restriction that the data fiduciary shall meet such requirements as the central government may specify. 

 

The provisions of the Act will not apply to the processing of personal data necessary for research, archiving or statistical purposes if it is carried on in accordance with the standards specified in second schedule of the rules. 

 

On the appointment of chairperson of board, the central government shall constitute a search-cum-selection committee with the cabinet secretary as the chairperson. Further, the committee included the secretaries to the Government of India in charge of the Department of Legal Affairs and the Ministry of Electronics and Information Technology and two experts of repute having special knowledge or practical experience. The central government shall, after considering the suitability of individuals recommended by the search-cum-selection committee, appoint the chairperson or other member, as the case may be.

 

The chairperson shall fix the date, time and place of meetings of the board with one-third of the membership being the quorum for its meetings. The chairperson shall have a casting vote in case of equality of votes. The appeals to the board's order shall be filed with Telecom Disputes Settlement and Appellate Tribunal. 

 

Further, the rules specify the conditions of registration of consent managers and their obligations. Consent manager means a person registered with the board, who acts as a single point of contact to enable a data principal to give, manage, review and withdraw her consent through an accessible, transparent and interoperable platform. 

 

Last year, Parliament passed the Digital Personal Data Protection Bill, 2023. The Act applies to the processing of digital personal data within India where such data is collected online, or collected offline and is digitised. It also applies to such processing outside India, if it is for offering goods or services in India. The Act grants certain rights to individuals, including the right to obtain information, seek correction and erasure, and grievance redressal.  End

 

Reported by Surya Tripathi

Edited by Deepshikha Bhardwaj

 

For users of real-time market data terminals, Informist news is available exclusively on the NSE Cogencis WorkStation.

 

Cogencis news is now Informist news. This follows the acquisition of Cogencis Information Services Ltd by NSE Data & Analytics Ltd, a 100% subsidiary of the National Stock Exchange of India Ltd. As a part of the transaction, the news department of Cogencis has been sold to Informist Media Pvt Ltd.

 

Informist Media Tel +91 (11) 4220-1000

Send comments to feedback@informistmedia.com

 

© Informist Media Pvt. Ltd. 2025. All rights reserved.