New Delhi: Sixteen months after the Digital Personal Data Protection (DPDP) Act, 2023 was assented to by the president, the Union electronics and information technology ministry has drafted the rules needed to implement it and has invited the public’s feedback. The draft framework prioritises control over cross-border data flow.
Published on Friday (January 3) evening, the rules say that data fiduciaries – entities that keep personal data – that are deemed “significant” must take measures to process personal data specified by the Union government on the basis of a committee it forms “subject to the restriction that the personal data and the traffic data pertaining to its flow is not transferred outside the territory of India”.
The DPDP Act says data fiduciaries may be deemed “significant” based on the volume and sensitivity of the personal data they process, any potential impact on India’s sovereignty and integrity, risk to electoral democracy and the state’s security, among other things.
According to The Indian Express, major tech firms such as Google, Meta, Microsoft, Apple and Amazon are expected to be deemed significant data fiduciaries.
The move is aimed at safeguarding sensitive data from exploitation overseas and at protecting national security interests, the Financial Express noted.
The draft regulations also mandate annual data protection impact assessments for significant data fiduciaries and establishment of a Data Protection Board to investigate breaches, impose penalties, and ensure compliance.
While the DPDP Act requires that data fiduciaries obtain “verifiable consent” from parents before processing children’s personal data, the rules prescribe ways in which they shall check whether a person identifying themselves as a parent is an adult, if required by Indian law.
This may be done by referring to either age or identity details that are voluntarily provided, or through a virtual token that is mapped to these details and that is issued by an entity – or a person such an entity appoints – which the Union or a state government entrusts with maintaining the said details, the rules say.
Such a virtual token may be verified and made available by a digital locker service, they add.
The other way to verify whether a parent is an adult is by referring to “reliable details of identity and age” that are available with the fiduciary.
As noted by IE, the government has proposed to exempt certain categories of fiduciary from taking parental consent before processing children’s personal data, such as health and educational institutions.
Also read: Digital Personal Data Protection Law Raises Questions About Consistency With Right to Privacy Ruling
The public will have until February 18 to submit its feedback to the draft rules using a portal on the MyGov website, the technology ministry said on Friday.
In a press release on the rules issued on Saturday, the Internet Freedom Foundation (IFF) charged that the rules were “too little, too vague and too late”.
It said the rules gave the government too wide a berth in processing personal data and that they give “the government a lot of power without clear criteria” in allowing it to determine the kind of personal data that ‘significant’ fiduciaries must localise within Indian borders.
“The DPDP Rules do not establish strong enforcement or oversight mechanisms. While penalties may be levied, there is no explicit provision for independent audits or compliance monitoring,” the IFF also said.
Regarding the rules’ safeguards against the processing of children’s personal data, the IFF said that if the government needs age verification to check whether a user is a child, “it may in future require every online user to verify their age through government credentials”.
“This holds the potential for mass surveillance with government IDs linked to every user’s online credentials,” it added.
Around the time the DPDP Act was passed, there were also concerns that it would dilute the RTI Act and that it gave wide exemptions to the government from safeguards against the processing of personal data.
Writing in The Wire, security researcher Karan Saini had noted in August 2023 that one such exemption was that data can be processed “in the interest of prevention, detection, investigation or prosecution of any offence … in India.”
“These kinds of exemptions are dangerous as they stand to legitimise widespread and unwarranted collection of data under the guise that such collection and processing may ultimately be useful for preventing or deterring a crime,” Saini wrote.
