Anticipation Grows for Release of Digital Personal Data Protection Rules in India
The Digital Personal Data Protection (DPDP) rules are expected to be unveiled by the end of this month, aiming to clarify the framework introduced by the DPDP Act, which was enacted in August 2023. This legislation is designed to regulate the processing of digital personal data while safeguarding individuals’ rights to privacy. Navaneeta Kanjilal, an Independent Legal Consultant, emphasized that despite the Act’s passage, its implementation has been delayed due to the lack of necessary supporting rules.
Central to the provisions of the Act is the establishment of the Data Protection Board of India (DPBI) by the Central Government. This board will possess significant authority, including the registration of Consent Managers, who will play a pivotal role in ensuring compliance with data protection protocols. Kanjilal noted that the forthcoming rules should address important elements such as the processes for lodging complaints with the DPBI, guidelines for reporting personal data breaches, and outlining the responsibilities of Consent Managers. Furthermore, criteria for classifying organizations as Significant Data Fiduciaries will be clarified to assist businesses in understanding their compliance obligations.
Rashmi Deshpande, the Founder of Fountainhead Legal, highlighted the necessity for precise guidelines regarding the consent mechanism that organizations must employ. The DPDP framework mandates that entities designated as Data Fiduciaries secure explicit, informed, and unequivocal consent from individuals—referred to as Data Principals—prior to the processing of their personal data. Deshpande pointed out that the rules should also define roles and obligations concerning Consent Managers and specify conditions for designating a data fiduciary as a Significant Data Fiduciary, thereby aiding organizations in navigating their compliance responsibilities.
Additionally, the DPDP Act requires data fiduciaries to report any data breaches to both the DPBI and the affected Data Principal in accordance with prescribed procedures. The upcoming regulations are anticipated to detail the procedures, timelines, and necessary requirements for such reporting, thereby providing clarity to organizations.
Legal expert Ekta Rai from the Delhi High Court underscored the urgency for explicit guidance on the consent framework. She stressed the importance of establishing robust mechanisms that allow individuals to provide, track, and revoke their consent to mitigate the potential for misuse.
The release of the DPDP rules is highly anticipated within the compliance and legal communities, as these guidelines are expected to tackle critical components such as consent mechanisms, data breach reporting protocols, and the functions of Consent Managers. While the DPDP Act lays a solid groundwork for enhancing data privacy and protection in India, the effectiveness of this framework hinges on clear and actionable guidelines for businesses to effectively manage cybersecurity risks.
The landscape of data privacy continues to evolve in India as the country grapples with the challenges of protecting personal data in the digital age. The forthcoming rules will play a crucial role in addressing compliance complexities and fostering greater accountability among organizations entrusted with sensitive personal information.
