New Year Learning Carnival: Get Free Courses and Up to 50% off on Career Booster Combos!
AVAIL NOW
D H M S

Draft of India’s Digital Personal Data Protection Act 2023

Author by: InfoSec Blogger
Jan 14, 2025 543

Draft of India’s Digital Personal Data Protection Act 2023

On January 3, 2025, the Union Ministry of Electronics and Information Technology (MeitY) unveiled the much-anticipated draft of Digital Personal Data Protection Rules, or DPDP Rules, 2025, marking a significant milestone in India’s efforts to safeguard digital privacy. These rules, designed under the framework of the Digital Personal Data Protection Act, 2023 (DPDP Act), outline the legal mechanisms for the collection, processing, and storage of personal data. As India increasingly embraces the digital age, these rules aim to balance the protection of individual privacy with the promotion of innovation, setting the stage for robust data governance and greater accountability in the country’s growing digital ecosystem. Let’s go through the draft:

1. Scope and Commencement

  • The rules are called the Digital Personal Data Protection Rules, 2025.
  • Rules 3-15, 21, and 22 will come into effect from a specified date (to be determined).
  • Other rules will come into force upon publication in the Official Gazette.

2. Notice Requirements

Data Fiduciaries must provide clear, understandable notices to Data Principals that include:

  • Itemized description of personal data to be processed.
  • Specified purpose and description of goods/services enabled by processing.
  • Means to withdraw consent, exercise rights, and complain to the Board.

3. Consent Manager Registration

  • Consent Managers must meet conditions in First Schedule Part A to register with the Board.
  • The Board can suspend/cancel registration if conditions are not met.
  • Consent Managers have obligations specified in First Schedule Part B.

4. Processing by State Entities

  • State entities can process personal data to provide subsidies, benefits, services etc. under law/policy or using public funds.
  • Must follow standards in the Second Schedule.

5. Security Safeguards

Data Fiduciaries must implement reasonable security measures including:

  • Encryption, access controls, monitoring, and backups.
  • Retaining logs and data for 1 year.
  • Appropriate contractual provisions with Data Processors.

6. Data Breach Notification

  • Notify affected Data Principals without delay with breach details, consequences, and mitigation measures.
  • Notify Board within 72 hours with detailed information on breach, impact, and remedial steps.

7. Data Retention and Erasure

  • Erase data after specified periods in Third Schedule if Data Principal is inactive.
  • Inform Data Principal 48 hours before erasure.

8. Rights of Data Principals

  • Data Fiduciaries must publish means for Data Principals to exercise rights.
  • Enable access to information, erasure, and nomination rights.

9. Additional Obligations for Significant Data Fiduciaries

  • Conduct annual data protection impact assessment and audit.
  • Verify algorithmic software does not pose risks to Data Principal rights.
  • Restrictions on cross-border data transfers.

10. Verifiable Parental Consent

  • Obtain verifiable parental consent before processing child’s data.
  • Verify identity and age of parent.

The First Schedule of the Digital Personal Data Protection Rules, 2025 outlines critical points regarding Consent Managers. Here are the key aspects:

Registration Conditions for Consent Managers

  1. Must be a company incorporated in India.
  2. Minimum net worth requirement of 2 crore rupees.
  3. Sufficient technical, operational, and financial capacity.
  4. Sound financial condition and management.
  5. Directors and key personnel must have good reputation and integrity.
  6. Memorandum and Articles of Association must contain provisions for adherence to obligations.

Obligations of Consent Managers

  1. Enable data principals to give, manage, review and withdraw consent.
  2. Maintain records of consents, notices, and data sharing.
  3. Provide data principals access to their records.
  4. Maintain records for at least 7 years.
  5. Develop and maintain a website/app for services.
  6. Implement reasonable security safeguards.
  7. Avoid conflicts of interest with data fiduciaries.
  8. Publish information about promoters, directors, and shareholding.
  9. Conduct regular audits and report to the Board.
  10. Obtain Board approval for transfer of control.

The Second Schedule of the Digital Personal Data Protection Rules, 2025 outlines standards for processing personal data by the State and its instrumentalities under specific sections of the Act. These standards aim to ensure lawful and responsible data processing. Key points include:

  1. Lawful processing: All data processing must be carried out in a lawful manner.
  2. Purpose limitation: Processing should be done only for specified uses under clause (b) of section 7 or purposes under clause (b) of sub-section (2) of section 17 of the Act.
  3. Data minimization: Only necessary personal data should be processed for the specified uses or purposes.
  4. Accuracy: Reasonable efforts must be made to ensure the accuracy of personal data.
  5. Retention limitation: Personal data should be retained only as long as required for the specified uses/purposes or to comply with applicable laws.
  6. Security safeguards: Reasonable measures must be implemented to prevent data breaches and protect personal data.
  7. Notification requirements: When processing under clause (b) of section 7, the Data Principal must be informed with:
    a) Contact information for queries about data processing
    b) Means to access the Data Fiduciary’s website or app
    c) Information on how to exercise rights under the Act
  8. Compliance with government policies: Processing must be consistent with standards set by Central Government policies or applicable laws.
  9. Accountability: The entity determining the purpose and means of data processing is accountable for observing these standards.

These standards aim to balance the State’s data processing needs with individuals’ privacy rights, ensuring transparency, security, and accountability in government data handling.

The Third Schedule of the Digital Personal Data Protection Rules, 2025 specifies the time periods after which certain classes of Data Fiduciaries must erase personal data if the Data Principal has not approached them or exercised their rights. Here’s a summary in table format:

Class of Data Fiduciary Minimum Registered Users Time Period for Data Erasure
E-commerce entities 2 crore or more in India 3 years
Online gaming intermediaries 50 lakh or more in India 3 years
Social media intermediaries 2 crore or more in India 3 years

Action Plan

  1. Identify if your organization falls into any of these categories based on the number of registered users.
  2. Implement a system to track user inactivity periods.
  3. Develop an automated process to erase personal data after 3 years of inactivity.
  4. Create a notification system to inform Data Principals at least 48 hours before data erasure.
  5. Establish exceptions for data retention required for compliance with other laws.
  6. Ensure your data erasure process excludes data necessary for user account access and virtual tokens issued by your organization.
  7. Update your privacy policy to reflect these data retention and erasure practices.
  8. Train relevant staff on these new data handling procedures.
  9. Regularly audit your systems to ensure compliance with these erasure requirements.

The Fourth Schedule of the Digital Personal Data Protection Rules, 2025 outlines exemptions from certain obligations applicable to processing personal data of children. It is divided into two parts: Part A and Part B.

Part A: Exempted Data Fiduciaries

Part A specifies classes of Data Fiduciaries exempt from sub-sections (1) and (3) of section 9 of the Act, subject to certain conditions. These likely include:

  1. Clinical establishments and healthcare professionals
  2. Educational institutions
  3. Creches and childcare centers
  4. Transportation providers for children

Part B: Exempted Purposes

Part B specifies purposes for which processing of children’s personal data is exempt from sub-sections (1) and (3) of section 9 of the Act, subject to certain conditions. These likely include:

  1. Compliance with law
  2. Provision of subsidies, benefits, or services
  3. Email communication
  4. Protecting children from harmful information
  5. Age verification

Action Plan

1. Identify if your organization falls under any of the exempted categories in Part A

  • Review your organization’s activities and services
  • Consult legal experts to confirm your exemption status

2. Assess if any of your data processing activities align with exempted purposes in Part B

  • Analyze your data processing purposes
  • Document how they relate to the exempted purposes

3. Review and update your data processing policies

  • Clearly define procedures for handling children’s data
  • Ensure compliance with other relevant sections of the Act

4. Implement age verification mechanisms

  • Develop robust systems to verify the age of users
  • Consider using digital locker services for age verification

5. Establish parental consent procedures

  • Create user-friendly interfaces for parents to provide consent
  • Implement secure methods to verify parental identity

6. Train staff on exemptions and obligations

  • Conduct regular training sessions on handling children’s data
  • Ensure staff understand the scope and limitations of exemptions

7. Implement data minimization practices

  • Review data collection processes to ensure only necessary data is collected
  • Regularly audit and purge unnecessary data

8. Enhance data security measures

  • Implement strong encryption for children’s data
  • Restrict access to children’s data on a need-to-know basis

9. Develop clear communication channels

  • Create child-friendly privacy notices
  • Establish procedures for responding to data access requests from children or parents

10. Conduct regular compliance audits

  • Schedule periodic reviews of your data processing activities
  • Ensure ongoing compliance with the Act and any changes in regulations

11. Establish a process for handling complaints and inquiries

  • Set up a dedicated channel for addressing concerns related to children’s data
  • Ensure timely and appropriate responses to all inquiries

The Fifth Schedule of the Digital Personal Data Protection Rules, 2025 specifies the salary, allowances, and other terms and conditions of service for the Chairperson and other Members of the Board.

“The Chairperson and every other Member shall receive such salary and allowances and shall have such other terms and conditions of service as are specified in Fifth Schedule.”

Key points likely covered in the Fifth Schedule:

  1. Salary structure for the Chairperson and Members
  2. Allowances provided to the Chairperson and Members
  3. Leave entitlements
  4. Pension and retirement benefits
  5. Travel allowances and accommodations
  6. Medical benefits and insurance
  7. Terms of appointment and tenure
  8. Conditions for removal from office
  9. Restrictions on post-retirement employment
  10. Any other relevant terms of service

These provisions ensure transparency in the compensation and service conditions for Board members, promoting their independence and effectiveness in carrying out their duties under the Digital Personal Data Protection Act.

TOP
whatsapp