The Ministry of Electronics and Information Technology in India has unveiled the draft Digital Personal Data Protection Rules, initiating a public consultation process. This significant development follows the announcement of the Digital Personal Data Protection Act (DPDPA) over 16 months ago, marking a pivotal step toward implementing comprehensive data privacy regulations in the country. The rules are designed to enhance the data privacy framework in India, a notion that has gained traction since an expert panel, chaired by former Chief Justice AP Shah, initially recommended legislation on privacy back in 2011.
An essential aspect of these draft rules pertains to user transparency and consent. Service providers will be required to distinctly outline the types of data they collect from users, as well as to issue timely alerts in the event of data breaches. This includes incidents such as hacks or unauthorized data leaks. Notably, the rules mandate that individuals under the age of 18 obtain verifiable parental consent before accessing services that involve personal data processing. This requirement may stem from wider concerns about children’s online safety, harkening to regulations enacted in other jurisdictions.
The draft outlines a staggered approach to implementation, reflecting the profound impact of these regulations across diverse sectors that utilize digital interfaces. Immediate enforcement will apply to components related to the Data Protection Board (DPB), while other provisions, such as consent management and notification requirements, will take effect subsequently. Public feedback on the draft is open until February 18 via the MyGov portal.
The DPB will wield significant authority, akin to that of a civil court, particularly in adjudicating data breaches, with the power to levy fines reaching up to ₹250 crore. Fiduciaries experiencing data breaches will be obligated to notify the DPB and affected users “without delay,” supporting a rapid response framework for such incidents. The rules also stipulate strict data retention timelines, requiring companies to inform users 48 hours in advance before deleting data.
Particular attention is drawn to how data fiduciaries must execute their responsibilities under the DPDPA, providing clear notifications to users about the data being processed, its intended purpose, and any associated services. Additionally, data fiduciaries will need to designate contact information for their Data Protection Officers, ensuring that user queries can be effectively addressed. The draft also imposes stringent guidelines around handling children’s data, requiring that organizations establish verifiable consent from parents or guardians before processing personal information related to minors.
While the proposed framework includes exemptions for certain sectors such as healthcare and education, it mandates that significant data fiduciaries undergo rigorous algorithm audits to ensure user protections are upheld. The central government retains the authority to designate entities as significant data fiduciaries based on criteria including their influence on national security and public welfare.
The draft rules may raise concerns over government access to data, as they allow state bodies to process personal information without prior consent for specific purposes, like issuing benefits or licenses, provided users are notified. Such provisions have been met with scrutiny, as they may set a precedent for expansive governmental oversight in data handling.
For cybersecurity professionals and business owners, the implications of these developments are profound. Potential tactics and techniques aligned with the MITRE ATT&CK framework could become critical in assessing risks linked to implementation of these rules. Techniques relevant to this context may include initial access through social engineering, persistence to maintain access over time, and privilege escalation to manipulate data systems. Understanding these vectors will be vital as organizations prepare for compliance and enhance their data protection measures in line with these emerging regulations.
