The Digital Personal Data Protection Act, 2023 (Act) was enacted on 9 August 2023, leaving the industry eagerly awaiting the announcement of its enforcement date. The Act employs the phrase ‘as may be prescribed’ a total of 26 times and is heavily reliant on the rules for prescribing the procedures and formats required for implementation of the Act and for constituting the Data Protection Board of India (Board) (i.e., the entity responsible for the enforcement of the Act).
The first draft of the Digital Personal Data Protection Rules, 2023 (Draft Rules) was published on 3 January 2024, and is open for stakeholder comments until 18 February 2024. The Draft Rules offer substantial clarity on how the Government intends to implement the Act. This article attempts to discuss the key strengths and potential shortcomings of the first draft of the rules introduced under the Act. Certain aspects where the Government has correctly hit the mark include:
1. Specific, Informed Consent: The Act lays down the principle of ‘consent first’ for personal data processing. The Draft Rules adopt a user centric approach by requiring specific and informed consent against an independent and understandable privacy notice that should contain an itemised description of the personal data collected and its intended usage, etc. This provision empowers users to provide true consent with complete knowledge of the facts, along with an option to withdraw consent.
2. Reasonable Security Safeguards: The Draft Rules prescribe security measures such as encryption, obfuscation, masking, and mapping the use of virtual tokens mapped to personal data. This is a significant departure from the erstwhile requirement of meeting the world’s best known information security standard i.e., the ISO 270001 standard. This pivot in data security safeguards provides operational independence to data fiduciaries to implement the security safeguards that are appropriate to their organisation and functions to protect personal data.
3. Data Breach Notification to Users: In case of a data breach, data fiduciaries (i.e., the entities determining the purpose and means of data processing) are required to notify all affected users without delay in a clear and concise manner along with consequences relevant for such user. In this manner, the Draft Rules keep the users adequately informed while not burdening data fiduciaries with a stringent time limit to comply with this obligation.
In addition to the above, certain areas where the Draft Rules could be improved to reduce operational ambiguity for the data fiduciaries and increase the implementational efficiency include:
1. Verifiable Parental Consent: The Draft Rules prescribe that data fiduciaries are required to verify if the parent consenting on behalf of a child is in fact an identifiable adult. However, the explanatory statement accompanying the Draft Rules adds another due diligence obligation requiring that “Data Fiduciary must implement measures to ensure that the person providing consent for a child’s data processing is the child’s parent or legal guardian”. In case the government in fact intends for data fiduciaries to establish a parent-child relationship between the minor user and the adult giving consent, this would be a very grave compliance burden on data fiduciaries.
2. Cross-Border Data Transfer Restrictions: The Act restricts the transfer of personal data by a data fiduciary to such country or territory outside India as may be so notified. However, instead of notifying the blacklisted countries, the Draft Rules require data fiduciaries to meet certain criteria, that will be prescribed, to transfer personal data outside India. This shift in governing cross-border transfer of personal data has caused confusion amongst the industry players. It is imperative that more clarity is provided in this regard so that India continues to grow as a global hub for data centres.
3. Eligibility Conditions for Consent Managers: Consent managers are registered entities that enable users to give, withdraw, manage and review their consent through accessible and interoperable platforms. The Draft Rules require such consent managers to have no conflict of interest with data fiduciaries and to act in fiduciary capacity for users. Moreover, the minimum net worth requirement of INR 2 crore (approximately USD 231,400) serves as a barrier for startups and new entities, who would ordinarily not have any conflict of interest, from entering this sphere. Additionally, existing tech giants who would fulfil the minimum net worth requirement would not be registered as consent managers due to conflict of interest as data fiduciaries. Therefore, the scope, intent, and means of profitability for such entities remains unclear.
Conclusion
The Draft Rules are a significant step towards shaping the Indian data protection regime and contain key provisions that require procedural clarity for the successful implementation of the Act. It is also expected that certain provisions such as the manner in which users may make complaints to the Board, or the format of conducting data protection impact assessment, etc., will be notified separately by the Board. To ensure business continuity for data fiduciaries in India and to refine the Draft Rules, it is imperative that industry stakeholders actively participate in the public consultation process.
(Harsh Walia is Partner, and Khyati Goel is Associate at Khaitan & Co. The views expressed are personal.)
