On January 3, 2024, the Ministry of Electronics and Information Technology (MeitY) released the draft rules for the Digital Personal Data Protection Act (DPDP). This announcement follows the Act’s passage in Parliament in August 2023. The government has opened a feedback window via the MyGov portal, allowing stakeholders to submit their comments until February 18, 2025. The anticipation surrounding these rules is high, as they are expected to clarify various facets of the law.
Key Aspects of the Draft Rules
The draft rules aim to provide clarity on several important topics. They cover the obligations of data fiduciaries, the role of consent managers, and the handling of children’s personal data. Additionally, they outline the establishment of the Data Protection Board, which will oversee compliance and address breaches.
Processing Children’s Data
The draft rules specify that a Data Fiduciary must obtain verifiable consent from a child’s parent or legal guardian before processing their personal data. This requirement ensures that consent is identifiable and legitimately obtained. Processing of children’s data is allowed for particular activities, including health services and educational purposes, provided these activities are essential for the child’s well-being.
Role and Registration of Consent Managers
Consent Managers play important role in the data protection framework. They must be incorporated in India and possess a minimum net worth of Rs 2 crore. These entities are required to maintain operational independence and avoid conflicts of interest. They must also provide a certified platform for Data Principals to manage their consent effectively.
State’s Processing of Personal Data
The draft rules permit the State and its instrumentalities to process personal data for issuing subsidies, benefits, and services. This processing must comply with specific standards to ensure lawful and secure handling of data. The guidelines aim to protect Data Principals while allowing the State to fulfil its obligations.
Establishment of the Data Protection Board
A feature of the draft rules is the proposed Data Protection Board. This regulatory body will manage complaints, investigate breaches, and enforce penalties. It will operate digitally, allowing for remote hearings, thereby increasing accessibility and efficiency in handling data protection issues.
- DPDP – Digital Personal Data Protection.
- MeitY – Ministry of Electronics and Information Technology.
- Data Fiduciary – Entity processing personal data.
- Consent Manager – Oversees consent management for data processing.
- Data Protection Board – Regulatory body for data protection compliance.
Feedback and Stakeholder Engagement
MeitY encourages stakeholders to provide their feedback on the draft rules. The ministry has made the draft rules and explanatory notes available on its website for ease of understanding. Stakeholders are invited to submit their comments in a rule-wise manner by the deadline of February 18, 2025. This collaborative approach aims to refine the data protection framework and address any ambiguities or challenges.
Leave a Reply