 |
|
The Indian government's recent notification of draft rules for the Digital Personal Data Protection (DPDP) Act marks a significant development in the nation's approach to data privacy. These rules, released fourteen months after the Lok Sabha's passage of the DPDP Act in August 2023, significantly alter the landscape for how companies and government entities handle personal data, particularly that of children. The core principle underpinning these regulations is the requirement for explicit consent. Entities seeking to utilize and process personal data must obtain consent from individuals, a process managed by designated 'consent managers' who maintain records of these authorizations. This establishes a framework of accountability and transparency in data handling practices. The ramifications of this requirement extend across various sectors, including e-commerce, social media, and online gaming, all of which are classified as 'data fiduciaries' under the new rules.
A key provision of the new rules focuses on data retention. Data fiduciaries, encompassing the aforementioned sectors, are permitted to retain user data only for the duration of the provided consent. Upon the withdrawal or expiration of consent, the data must be promptly deleted. This addresses concerns about indefinite data retention and empowers individuals with greater control over their personal information. The rules also introduce stringent regulations concerning the data of minors. Individuals under the age of 18 now require parental consent to join and access social media and other online platforms. This stipulation emphasizes the protection of vulnerable populations and highlights the increased awareness of the potential risks associated with online activities for children. Further safeguards necessitate that digital platforms undertake due diligence to verify the identity of the individual claiming parental consent, ensuring that they are indeed an adult and identifiable for legal compliance purposes. This rigorous approach to verification underscores the importance of safeguarding children's data and preventing potential misuse.
One of the most impactful aspects of the DPDP rules is the reintroduction of data localization norms. This measure requires that personal data specified by the central government be processed within the country's geographical boundaries by ‘significant data fiduciaries.’ Data localization, the practice of storing and processing data within a specific region, prevents its transfer across international borders or storage in foreign data centers. This policy seeks to bolster data security and sovereignty by limiting the potential exposure of sensitive information to external risks or access by foreign entities. The implementation of data localization has implications for multinational technology companies, commonly referred to as Big Tech, and could reshape their operational strategies in India. The rules also outline responsibilities for data fiduciaries in maintaining the security of personal data under their control. They are mandated to implement reasonable security safeguards to prevent data breaches. In the event of a breach, a prompt notification to affected individuals is mandatory, detailing the nature, scope, timing, and location of the incident. This requirement ensures transparency and enables individuals to take proactive measures to mitigate potential harm.
Furthermore, the draft rules impose an annual Data Protection Impact Assessment (DPIA) requirement on significant data fiduciaries, as defined by the DPDP Act. These assessments must be submitted to the Data Protection Board. The DPIA mandates a comprehensive evaluation of potential risks associated with data processing activities, thereby promoting a proactive and preventive approach to data security. The implementation of these regulations is expected to bring about significant changes in how businesses operate within the digital ecosystem in India. Companies will need to adapt their data handling practices to comply with the new rules, potentially necessitating investment in new technologies and infrastructure. The regulations also empower individuals with more control over their data, strengthening their rights and enhancing data protection measures. The long-term impact of these rules will likely depend on their effective enforcement and the responsiveness of companies to the new regulatory landscape. Ongoing developments and interpretations of the rules will continue to shape the future of data governance in India.
Source: ETtech Explainer: What the draft rules mean for your personal data