India’s Draft Personal Data Protection Rules Likely to be Released Within a Month

Posted by Reading Time: 3 minutes

India is expected to release a draft of the rules under the Digital Personal Data Protection Act (DPDP Act) within a month for public review.

Draft data protection rules to be issued by Government of India within a month

India’s Information and Broadcasting Minister Ashwini Vaishnaw told the media on August 19 that the central government is expected to release a draft of the rules under the Digital Personal Data Protection Act (DPDP Act) within a month.

The intention appears to be to simplify the rules and pass it on for public consultation. After the rules are published, the public consultation period may last between 45-60 days, subject to further extensions, to draw out comprehensive feedback.

Find Business Support
De-Risk Your Asia Business with a Company Health Check Review and Professional Advisory

The government intends to review all feedback and begin implementing the DPDP Act within this financial year, with plans to establish a Data Protection Board during this period.

The final draft of the DPDP Act was last reviewed by the government last week, per a report in the Business Standard. The supporting digital infrastructure being developed by the Digital India Corporation (DIC) and the National Informatics Center (NIC) has moved beyond the beta testing phase according to Vaishnaw.

The entire implementation structure has to be digital right from the beginning. That entire digital framework has now been completed from inception and is now fully operational. – Minister for Information and Broadcasting, Ashwini Vaishanw

What lies ahead

Find Business Support
Simplify compliance with Corporate Secretarial Services

The finalized rules will detail the processes for filing complaints, appealing decisions, and other essential procedures.

The current version of the DPDP Act provides specialized protections for children and individuals with disabilities. It defines a child as anyone under 18 years old. Section 9 requires data fiduciaries to obtain consent from a parent or legal guardian and verify the child’s age before processing a minor’s data.

However, the implementation of the DPDP Act has been delayed due to the need for additional clauses and rules.

Background

The DPDP Act is designed to safeguard personal data and privacy. Originally introduced on December 11, 2019, and passed by the Parliament in August 2023, the legislation sets forth strict guidelines for data protection, sharing, and storage, ensuring the security of individuals’ private information nationwide.

There have been discussions about possibly diluting the legislation, sparking concerns among privacy advocates. How these issues will be addressed in the parliamentary process remains to be seen.

The DPDP Act prohibits any private or public entity from using an individual’s data without their explicit consent, emphasizing the need to safeguard personal information. It also includes provisions for using data in matters of national security and judicial processes.

Key definitions compared to EU GDPR

The DPDP Act, while similar to the EU’s GDPR, differs in its terminology and definitions:

  • Data Fiduciary: This entity determines the purpose and methods for processing personal data. It is akin to a data controller in the GDPR. The government can designate certain data fiduciaries as ‘significant data fiduciaries’ (SDFs) based on factors like data volume, sensitivity, and broader societal impacts. SDFs face stricter compliance requirements.
  • Data Processor: An entity that processes personal data on behalf of a data fiduciary.
  • Data Principal: The individual whose personal data is collected and processed, similar to a data subject under GDPR.
  • Consent Manager: A registered individual who manages consent on behalf of data principals, allowing them to give, review, and withdraw consent through a transparent and interoperable platform.

Comments on the Broadcasting Services bill

Minister Vaishnaw also spoke to the media about the contentious draft Broadcasting Services (Regulation) Bill. He stated that the government will undertake new efforts, adopting a broader and more inclusive consultation process to ensure transparent dialogue in the content creation sector.

Also read:

About Us

India Briefing is one of five regional publications under the Asia Briefing brand. It is supported by Dezan Shira & Associates, a pan-Asia, multi-disciplinary professional services firm that assists foreign investors throughout Asia, including through offices in Delhi, Mumbai, and Bengaluru in India. Readers may write to india@dezshira.com for support on doing business in India. For a complimentary subscription to India Briefing’s content products, please click here.

Dezan Shira & Associates also maintains offices or has alliance partners assisting foreign investors in China, Hong Kong SAR, Dubai (UAE), Indonesia, Singapore, Vietnam, Philippines, Malaysia, Thailand, Bangladesh, Italy, Germany, the United States, and Australia.