The Digital Personal Data Protection Act, 2023 was enacted in 2023 and serves as the primary legislation for governing the processing of personal data in India. It aims to safeguard the right to privacy by establishing a robust framework to ensure that personal data is processed lawfully and transparently. The Draft Digital Personal Data Protection Rules were introduced on 3rd January 2025 to facilitate the implementation of the DPDP Act.
RELEVANT ACTORS UNDER THE RULES
A Data Fiduciary is defined under Section 2(i) of the DPDP Act as any person, organization, or institution that determines the purpose and means of processing personal data.
- A few examples of Data Fiduciaries include:
- i.Financial Institutions such as commercial banks, insurance companies, etc.
ii.Search engines such as Google, Safari, Microsoft Edge, etc.
iii.Social Media Platforms such as Facebook, Instagram, WhatsApp, etc.
iv.E-commerce platforms such as Amazon, Flipkart, etc.
v.Streaming services such as Hotstar, Netflix, Prime Video, etc.
A Data Principal is defined under Section 2(j) of the Act as the person whose information is collected or the person to whom the information relates. In the case of a child, it also includes the child’s parents or guardians, and in the case of a person with a disability, it includes the lawful guardian of that person.
In simpler terms, a Data Principal refers to any individual whose data is being collected by Data Fiduciaries. This could include daily users of an app, subscribed members of a service, or even a company or firm. If a person’s data is being collected in any form, that person is considered the Data Principal.
For example, if Mitra wishes to open a Gmail account, she is typically required to provide personal information such as her age, date of birth, etc., to create the account. In this case, Mitra is a Data Principal, and Google is the Data Fiduciary.
Consent Managers are defined under Section 2(g) of the DPDP Act as entities registered with the Data Protection Board that enable a Data Principal to share, manage, and withdraw their consent through an accessible, transparent, and interoperable platform.
MAJOR DEVELOPMENTS BROUGHT BY THE DPDP RULES
- Parental Consent for Minors
Section 10 of the Draft Rules proposes that Data Fiduciaries must ensure that the verifiable consent of a parent is obtained before processing any personal data of a child. When obtaining the parent’s consent, Data Fiduciaries must verify the identity and age of the parent from the data available with them, or must verify the identity and age via a virtual token issued by an entity entrusted by law or the Government, which may include the token available through the DigiLocker application.
For example:
Riya, a child, is trying to access the Instagram app. Before processing any of her personal data for the creation of her account, Instagram must obtain her parent’s consent and verify the parent’s identity and age in the following ways:
- i.If the parent is already a registered user of Instagram, Instagram must confirm that their database holds the authentic identity and age of the parent.
ii.If the parent is not a registered user of Instagram, Instagram must verify the identity and age of the parent through a virtual token issued by an entity entrusted by law or the Government, such as the token made available through the DigiLocker application.
- Consent of Lawful Guardian for Persons with Disabilities
In the case of persons with disabilities, data fiduciaries must ensure that verifiable consent of lawful guardian is obtained before processing any personal data of any such person. In obtaining the consent of the lawful guardian, the data fiduciaries must verify the identity and age of the concerned guardian from the data available with them or must verify the identity and age via a virtual token issued by an entity entrusted by law or the Government which includes the token made available by the application of Digi Locker.
- Restriction on International Transfer of Data
Section 14 of the Draft Bill imposes restrictions on data fiduciaries, requiring them to comply with the conditions specified by the Central Government for making data available to any foreign state. This empowers the Government to impose restrictions on the transfer of data to certain countries or agencies/entities under state control, which data fiduciaries are obligated to adhere to.
Exception: Processing data for research, archiving, or statistical purposes will be exempted from the provisions of this Act.
- Rights of Data Principals
The Draft Rules establish the rights of the Data Principals to:
- i. Withdraw consent previously given for the processing of personal information, and
ii. Request Data Fiduciaries to erase personal data provided to them earlier.
- Obligations of Data Fiduciaries
To enable Data Principals to exercise these rights, Data Fiduciaries and Consent Managers must publish on their website, app, or both:
- i.Details of the means by which Data Principals can exercise their rights,
ii.Identifying details, such as usernames, to facilitate identification, and
iii.A grievance redressal system for addressing the grievances of Data Principals.
The Rules also elaborate on how the Notice given by Data Fiduciary should be:
- i.It must be in clear and plain language,
ii.It must include an itemized description of such personal data being collected, and
iii.Purpose for collecting and processing personal data.
The Data Fiduciaries must also provide Data Principals with a communication link for accessing their website or app, through which the Data Principal may withdraw her consent and exercise her rights under this Act.
- Establishment of Search-cum- Selection Committee
The Act proposes the creation of a Search-cum-Selection Committee to recommend candidates for appointment of Chairperson and Members of the Data Protection Board.
This committee shall be constituted of:
- i.Cabinet Secretary
ii.Secretary of the Ministry of Electronics and Information Technology
iii.Secretary of the Department of Legal Affairs
iv.Two experts have special knowledge or practical experience.
v.Processing of Personal Information by the State.
Section 5 gives the power to the State or any of its instruments to process personal information of Data Principles to issue various governmental perks such as subsidies, benefits, services, certificates, licenses, or permits.
- Processing of Personal Information by the State
Section 5 gives the power to the State or any of its instruments to process personal information of Data Principles to issue various governmental perks such as subsidies, benefits, services, certificates, licenses, or permits.
SUMMARY OF CHANGES
| Sr No | Item Changed | Draft Digital Personal Data Protection Rules, 2023 |
|---|---|---|
| 1 | Notice | Elaborates on how a notice should be worded and what the contents of a notice are. |
| 2 | Consent | Consent of the parent and lawful guardian must be taken for the processing of information of a minor and person with disability, respectively. |
| 3 | Transfer of Data outside India | For transfer of personal data outside India, data fiduciary must meet such requirements that the Central Government may prescribe. |
| 4 | Rights of Data Principals | Data Principals have the right to withdraw consent and request for erasure of personal data. |
| 5 | Obligations of Data Fiduciary | The Rules elaborate upon the obligations of the data fiduciaries to protect the rights of the data principals. |
| 6 | Establishment of Search-cum-Selection Committee | Act proposes the creation of a Search-cum-Selection Committee for the appointment of Chairperson and Members of the Data Protection Board. |
| 7 | Processing of Information by State | The State or any of its instruments can process personal data to issue subsidies, benefits, licenses, certificates or permits. |
Leave a Reply