.svg)
India’s Ministry of Electronics and Information Technology is currently seeking feedback on its draft Digital Personal Data Protection Rules, along with an explanatory note that will implement the requirements of the Digital Personal Data Protection Act, which was passed in August 2023 and has not yet entered into force.
Key Considerations
The rules provide clarification and additional guidance and requirements on a number of sections of the act, including:
- Provisions governing the setting up and day-to-day operations of “consent managers”, which will be third-party entities that allow data subjects to consent to data collection and processing by data fiduciaries who make use of the managers’ services.
- Guidance on the notification and handling of data breaches for data processors (known in the act and rules as data fiduciaries), including specifying the method, form and time limits for making notifications of data breaches.
- Obligations for data fiduciaries to delete unused data after a specific time period and display clearly on its website contact information where personal data complaints can be addressed.
- Provisions allowing the Indian government to restrict the transfer of designated categories of personal data outside India.
- Additional regulatory reporting requirements for significant data fiduciaries who will be required to conduct a yearly data protection impact assessment (DPIA) and comprehensive audit.
In addition to these obligations, the rules provide long-awaited information on what the Digital Personal Data Protection Board (India’s new personal data regulator) will look like and the processes for appealing the decisions made by it.
Why Should You Care?
The importance of the release of the first draft of these rules cannot be understated. Leaving the content of them aside, their intended release in 2025 (reflected in their draft title) is an indicator that the Digital Personal Data Protection Act will be entering into force imminently (rules cannot be enacted until the primary legislation enters into force), meaning that India will finally have a comprehensive data protection regime in place. Operators in India who process personal data would do well then to begin preparations for this to ensure that they are compliant.
Moving on to the rules themselves, the setting up of a regulatory regime for “consent managers” presents a unique opportunity for payments operators and merchants who offer their services in India to essentially outsource the processing and consent requirement obligations for their customer data to one of these managers without the need to set up significant internal controls or departments themselves. This will be especially useful for crypto operators who at present cannot be based in India but may offer their services there, as they would also be required to abide by the act and rules as data fiduciaries.
Payments operators and merchants should also take note of the data breach notification requirements and their obligation to delete unused personal data to ensure that they do not fall foul of these new requirements, especially if they do not have these safeguards in place for their current personal data records. However, they may also be able to adapt the similar controls they already have under other data protection regimes, such as the EU’s General Data Protection Regulation.
Firms who plan to offshore data should also be aware that the Indian government may restrict what data they can store and process overseas, although there is currently no clarity on what these restricted categories of data will be.
Large firms and merchants with significant customer bases in India should also be aware that they may be designated “significant data fiduciaries" and will have to abide by the additional requirements provided in the act and rules.
Next Steps
Although the draft rules for India’s Digital Personal Data Protection Act are still under consultation, firms should take proactive steps to prepare for compliance. Below are practical actions to consider:
- Engage with the consultation process, particularly if there are sections of the rules you feel need more clarity or are impractical.
- Assess consent management processes, especially if your firm does not have a physical presence in India or is domiciled in a jurisdiction where this is not a requirement.
- Prepare for data breach and deletion requirements, paying close attention to any existing stored records that have been unused for some time.
- Prepare for data transfer restrictions, especially if your firm deals with personal data that could be considered of importance to national security.
- Conduct preliminary preparations for a DPIA and comprehensive audit if your firm is large enough to be declared a significant data fiduciary.
It is, however, important to note that these rules are still a draft at this point and should not be taken as issued legislation. Any entity or person who wants to provide feedback on the draft rules should do so via this portal by February 18, 2025.
