NEW DELHI: The government on Friday released the draft rules under the Digital Personal Data Protection (DPDP) Act, introducing specific provisions governing cross-border data flow, parental consent for processing children’s data, and new obligations for data fiduciaries. These rules, open for public consultation until February 18, mark a pivotal step toward robust data governance.
Central to the draft is the government’s control over cross-border data flow. A specialised committee, appointed by the government, will determine which categories of personal data must remain within India’s borders. Additionally, data fiduciaries seeking to process personal data outside India must comply with specific conditions to be outlined through government notifications. Officials suggest that these measures aim to safeguard sensitive data from potential exploitation abroad, aligning with national security interests. While the Act had dropped specific provisions relating to compulsorily storing personal data in the country, it had stated that cross-border flow of data can be done with friendly nations. The rules seem to suggest that the committee will from time to time provide either provide a “blacklisting” or “whitelisting” approach.
The draft mandates that significant data fiduciaries conduct annual data protection impact assessments and present their findings to the Data Protection Board, a regulatory body established under the Act. The board, which will operate digitally with remote hearings, is tasked with investigating breaches, imposing penalties, and ensuring compliance. A search-and-selection committee will appoint the board’s chairperson and members, reinforcing its independence and accountability.
One of the standout features of the draft rules is the emphasis on parental consent for processing the data of children under 18. Fiduciaries must verify such consent through government-issued identification or digital tokens linked to identity services like DigiLocker. Educational institutions, healthcare providers, and child welfare organisations are exempt from certain provisions, balancing regulatory compliance with operational feasibility.
The draft also introduces a framework for consent managers, entities that will enable individuals to grant or revoke consent for data processing. To qualify, these managers must register with the Data Protection Board and maintain a minimum net worth of Rs 12 crore. This ensures that only well-capitalised entities handle the sensitive task of managing consent.
On data breach reporting, the draft mandates fiduciaries to notify the Data Protection Board immediately and in detail within 72 hours of becoming aware of a breach. The penalty for violations under the DPDP Act can reach Rs 250 crore per instance.
Data erasure norms have also been clarified. Fiduciaries are required to delete personal data no longer needed after a three-year period. They must notify individuals 48 hours before erasing such data, allowing them to intervene if necessary. This provision balances data minimisation with user control.
While these rules aim to bolster data protection, they also grant the government significant powers to access personal data in the interest of sovereignty, integrity, and state security. This may spark debates about transparency and oversight. Legal experts and analysts said that the consultation process may witness discussions on this issue, particularly concerning the balance between privacy and national security.
“Data localisation will be a major point of contention,” said Dhruv Garg, partner at the Indian Governance and Policy Project and a technology law expert. “Requiring certain categories of personal data to stay within India’s borders adds layers of complexity for global corporations. Clarifications are needed on how the government and its specialised committee will define these categories”.
The provisions on cross-border data transfers, which allow the government to impose additional requirements through general or special orders, also merit closer examination. “There’s ambiguity in terms like ‘specified conditions,’ which could lead to varying interpretations and enforcement challenges,” Garg noted.
Another area likely to generate debate is the process of verifying parental consent for children’s data. Experts argue that while the draft emphasises stringent measures, the operational feasibility of verifying parental identity and adulthood through existing systems will need refinement to avoid unintended barriers.
Source; The Financial Express
China Grapples with Surge in Respiratory Illnesses 