INTRODUCTION
The Union Government has introduced the Digital Personal Data Protection Rules to operationalize the Digital Personal Data Protection Act, 2023, hence giving concrete shape to India’s emerging data protection framework. These rules define the rights guaranteed to individuals under the act, the manner in which the digital personal data must be processed as well as the obligations of data processing entities. With the increasing digitalization across different sectors the rules aim to a create a well-structured, right centric and accountable system of governance for this area.
BACKGROUND
The Digital Personal Data Protection Act, 2023, was enacted to ensure that data is processed in a lawful, transparent and purpose-specific manner. However, operational clarity remained blurred until the Government notified the accompanying rules, which specify when and how the obligations under the Act apply. The rules clarify the applicability of the laws to the entities both within and outside India, particularly those offering goods and services to individuals located in India. The rules details the operational requirements for compliance including, data processing, norms on consent and many more. The notification brings the entire regulatory structure for digital personal data in India into full effect.
KEY POINTS
The Rules signify the aspects of Digital Personal Digital Protection Rules that complete the operational framework of DPDP, 2023.
First, the Rules clearly defines the scope and applicability of Act. They apply to the processing of digital personal data, whether collected online or digitized data for processing. The Rules extend to entities both within India and abroad if they offer goods and services to individuals in India. At the same time they exclude personal or domestic use and certain categories of publicly available information from the Act’s scope.
Second, the Rules emphasis content based processing. A data fiduciary is required to provide comprehensive notices detailing the purpose of data collection. The consent must be informed, capable of withdrawal, free and specific. The Rules as well require that the users be given accessible mechanisms to check, manage and revoke their consent whenever they desire.
The Rules provide enhanced safeguards for children’s data. A fiduciary must also obtain a verifiable parental consent before the processing of any personal data relating to a child. Also, platforms are prohibited from engaging into tracking, behavioral monitoring, or targeted advertising which are directed to children. These Rules intend to a more protected digital environment for the minors.
The Rules also introduced a well-balanced compliance structure for larger entities, termed significant data fiduciaries, based on factors such as the volume and sensitivity of data processed. Such large entities must undertake data protection appoint a Data Protection Officer responsible for ensuring compliance and follow impact assessment and periodic audit. This mechanism reflects the balance between protecting the individual’s privacy and avoiding unnecessary burden on the smaller entities.
Lastly, the Rules also ensures breach notifications and data security. Fiduciary must also adopt reasonable security measures and notify the affected individuals in the event of any breach. They must also adhere to the storage limitations by retaining personal data only for the duration necessary for the said purpose.
RECENT DEVELOPMENTS
The notification of Digital Personal Data Protection Rules marks the completion of India’s long awaited data protection framework. The current reports indicate that the government is likely to implement the Rules in a phased and processed manner, allowing entities enough time to align their operations with the new requirements. The Data Protection Board will act as a digital-first adjudicatory authority for resolving grievances and imposing penalties is as well underway.
Entities across sectors such as digital payments, e-commerce, are preparing to strengthening their compliance framework. Organizations that are handling children’s data or are processing data at a large scale are reviewing their compliance mechanisms. These developments bend towards a more structured and well balanced framework of data protection in India making the country’s laws closer to the standards to global benchmarks.
CONCLUSION
The DPDP Rules finalize India’s legal framework for processing digital personal data by clearly outlining compliance duties and safeguards including protection for children. They aim to strengthen the digital privacy of its citizen while balancing user rights with practical business requirements. With phased implementation and oversight by Data Protection Board, the regime is expected to become more transparent.
“PRIME LEGAL is a full-service law firm that has won a National Award and has more than 20 years of experience in an array of sectors and practice areas. Prime legal falls into the category of best law firm, best lawyer, best family lawyer, best divorce lawyer, best divorce law firm, best criminal lawyer, best criminal law firm, best consumer lawyer, best civil lawyer.”
WRITTEN BY- SOUMITA CHAKRABORTY
