The window for public feedback was to end on February 18 and was extended to March 5. There will be no more extensions.
The Digital Personal Data Protection (DPDP) Act was ratified by Parliament and received Presidential assent in August 2023. The industry has since sought rules to provide clarity on the implementation of the law, which is aimed at protecting citizens’ private data. It is India’s first privacy law.
Union Minister for Electronics and Information Technology Ashwini Vaishnaw earlier told CNBC-TV18 that the rules were a “pragmatic approach to regulation, with an effort to balance regulation, innovation and the rights of citizens”. He said focus was on ensuring that the rules don’t become too prescriptive, preserving room for innovation.
Also read | FAQ | All you need to know about the draft Digital Personal Data Protection rules
So, what are the major concerns and feedback that the industry and stakeholders have shared with the government?
- Potentially fresh conditions for data localisation.
- Seeking consent from existing users for personal data already collected can be cumbersome.
- Paytm, PhonePe sought a single notice to existing users. Unless a user revokes consent, the personal data processing must continue.
- Detailed guidelines on implementing rules requiring parental consent.
- Age verification, children falsifying age, the possibility of limiting content for children without tech-savvy parents.
- CII raised concerns about the 72-hour reporting window in case of breach; NASSCOM flagged a lack of clarity on “reasonable” security safeguards that companies must deploy.
Also read: DPDP Act: Tokenisation could ease parental consent implementation
MeitY released the draft rules for the DPDP Act on January 3. The rules aim to:
- Prescribe a simple, easy-to-understand notice to take consent to process digital personal data with information on the data collected and its purpose.
- Provide for entities or persons to operate as consent managers to grant, withdraw, review, or manage consent on behalf of users.
- Data Localisation: The government can set fresh conditions for overseas data transfer.
- Allow the government to process personal data without consent in the case of social welfare benefits and subsidies.
- Place obligations on entities collecting personal information, such as security measures, intimation in case of breach, data protection officer, etc.
- Entities are required to collect and process data of minors to obtain parental consent or consent from a legal guardian.
- Establish a Data Protection Board, giving power to the Centre to seek personal information from any entity in case of sovereignty or national security.
Also read | DPDP rules need to be flexible not prescriptive, end goal is user protection: MeitY secretary
