Mint Explainer: The digital personal data protection Act, its rules, and roadblocks

India's proposed rules to protect and individual's data provides a mix of clarity and fresh ambiguity. (Pixabay)
India's proposed rules to protect and individual's data provides a mix of clarity and fresh ambiguity. (Pixabay)

Summary

  • India's much-awaited draft rules to enable the digital personal data protection Act introduce a complex landscape for companies handling personal data. Key issues around consent management and data transfer restrictions could impact compliance and operational practices.

Companies waited nearly two years for the Indian government to frame rules for implementing the Digital Personal Data Protection Act—a threadbare legislation with a lot of queries on compliance mechanisms left unanswered. The ministry of electronics and information technology’s (Meity) draft personal data protection rules published on Friday for public consultation are extensive. But they leave some questions hanging and raise a few concerns. Mint explains:

 

Do the draft rules facilitate “consent" gathering under the DPDP Act?

The DPDP Act considers “consent" as the primary factor for processing an individual’s “personal data". However, such consent is required to be “free, specific, informed, unconditional and unambiguous". Moreover, the consent has to be limited for the “specific purpose" for which it is obtained.

Rule 3 in the draft published on Friday provides clarity on the format of the notice under which consent can be obtained: it requires the description of the personal data to be collected, the specified purpose of the data collected, and the provision of a link to exercise the individual’s rights under the DPDP Act.

Concern: In emphasizing the “specified" purpose of the data, the legislators have created an overlap with the provisions of “Legitimate Use" under the DPDP Act, which allows data fiduciaries (controllers or organisations that handle personal data) to process personal data in cases “where the data principal has voluntarily provided her personal data to the data fiduciary, and in respect of which she has not indicated to the data fiduciary that she does not consent to the use of her personal data". In other words, if a data fiduciary has to elaborate all required uses of an individual’s personal data under, the provisions of “Legitimate Use" that allows usage of data for purposes that are not specifically refused become redundant.

Also read | India’s Digital Data Protection rules: A story of hits and misses

Will the consent manager facilitate data privacy?

Companies had sought clarity on whether a consent manager was required to be part of the data fiduciary’s organization or a third-party ombudsman. The draft rules provide clarify that the consent manager will be a third-party ombudsman. The consent manager is also required to provide a platform that will act as an intermediary between individuals and data fiduciaries to facilitate consent provision, much like the one provided by Account Aggregators under the Reserve Bank of India’s guidelines. 

Concern: An overlap may arise as consent has to be provided utilising the consent manager’s intermediary platform. Considering that a data fiduciary is required to ensure it has its own platform for addressing an individual’s grievances, this may result in an interoperability challenge, where an individual may be required to use one platform for providing consent and another for raising grievances.

Also read | DPDP draft rules raise concerns on parental consent, national security checks

Are restrictions on cross-border data transfers, or data localisation, back?

Various iterations of the privacy or DPDP Act have differing stances on this. While the DPDP Act seemingly eliminated restrictions on cross-border data transfers, Rule 12 in the draft published for public consultation reintroduces restraints for “significant data fiduciaries". 

Concern: Rule 12 requires the formation of a committee that will recommend restrictions on “personal data and the traffic data pertaining to its flow of traffic" to prevent data transfer outside India. While the concept of significant data fiduciaries is yet to be categorically defined, the aforesaid committee is still awaiting creation.

Also read | Kidfluencers on a timeout as proposed data protection rules force an industry rethink

What happens in the event of a data breach?

India has seen some significant data breaches in recent years. As per Rule 7 in the draft, “upon becoming aware of any personal data breach" a significant data fiduciary is required to inform each affected principal “without delay", along with the description of the breach, the consequences, the safety measures, as well as the contact details of the fiduciary’s data protection officer. A similar notice has to be provided initially “without delay" with a more detailed report to the authorities within 72 hours “of becoming aware" of a data breach. 

Concern:  As the DPDP Act defines a data breach as “any unauthorised processing of personal data or accidental disclosure…" companies may be required to notify authorities and the affected individuals for even minor incidents. It is recommended that a higher threshold be required as is prescribed under Singapore law, which requires either the causation of “significant harm" or at least 500 affected individuals as the criteria for notifying a data breach to the authorities.

 

Vikram Koppikar is a privacy lawyer. His views are personal. 

Catch all the Business News, Market News, Breaking News Events and Latest News Updates on Live Mint. Download The Mint News App to get Daily Market Updates.
more

topics

MINT SPECIALS