Union Government notifies draft rules for Digital Personal Data Protection Act
Jan 03, 2025
New Delhi [India], January 3 : Ministry of Electronics and Information Technology of the Union Government notified the draft rules for the Digital Personal Data Protection Act, 2023 (DPDP) today and invited stakeholders to share feedback/comments on the rules.
In his post the Union Minister for Electronics and Information Technology, Ashwini Vaishnaw posted, "Draft DPDP rules are open for consultation. Seeking your views."
https://x.com/AshwiniVaishnaw/status/1875216107650597102
The DPDP act aims to strengthen the legal framework for the protection of digital personal data by providing necessary details and an actionable framework, according to a statement by the ministry. The rules will be taken into consideration after February 18, 2025.
"Draft of rules proposed to be made by the Central Government in exercise of the powers conferred by sub-sections (1) and (2) of section 40 of the Digital Personal Data Protection Act, 2023 (22 of 2023), on or after the date of coming into force of the Act, are hereby published for the information of all persons likely to be affected thereby; and notice is hereby given that the said draft rules shall be taken into consideration after 18th February, 2025," read the union government notification.
"In line with the SARAL framework, certain principles like simple language, unnecessary cross referencing, contextual definition, and illustrations etc. have been used while drafting the rules," the ministry's statement read.
The draft rules define the process for a notice given by a 'Data Fiduciary' (an organisation/entity) to 'Data Principal' (users), and the registration and obligations of a 'Consent Manager.'
"A Data Fiduciary shall protect personal data in its possession or under its control, including in respect of any processing undertaken by it or on its behalf by a Data Processor, by taking reasonable security safeguards to prevent personal data breach," read the draft rules.
On becoming aware of a personal data breach, the Data Fiduciary "shall, to the best of its knowledge, intimate to each affected Data Principal, in a concise, clear and plain manner and without delay, through her user account or any mode of communication registered by her."
The rules also define the processing for provision or issue of subsidy, benefit, service, certificate, licence or permit by State and its instrumentalities.
"The State and any of its instrumentalities may process the personal data of a Data Principal under clause (b) of section 7 of the Act to provide or to issue to her any subsidy, benefit, service, certificate, licence or permit that is provided or issued under law or policy or using public funds," read the draft rules.
The rules also define the consent for processing of personal data of a child or of person with disability who has lawful guardian.
"Fiduciary shall adopt appropriate technical and organisational measures to ensure that verifiable consent of the parent is obtained before the processing of any personal data of a child and shall observe due diligence, for checking that the individual identifying herself as the parent is an adult who is identifiable if required in connection with compliance with any law for the time being in force in India," read the rules.
In regard to the formation of the Data Protection Board the notifcation said, "A Search-cum-Selection Committee shall be formed by the Central Government to recommend candidates for the position of Chairperson of the Data Protection Board. The committee will be led by the Cabinet Secretary , Secretary MeitY, Secretary DLA and include two subject matter experts."
The committee will also recommend candidates for the position of other Board members -- with the Ministry of Electronics and Information Technology Secretary overseeing the process. The members will be appointed by the Central government after consideration.
The Board shall function as a digital office which, without prejudice to its power to summon and enforce the attendance of any person and examine her on oath, may adopt techno-legal measures to conduct proceedings in a manner that does not require physical presence of any individual, the notifcation read.
