India Government targets April for DPDP rules rollout as MeitY reviews public inputs
The Digital Personal Data Protection (DPDP) Act is indeed a significant step forward in India's data protection framework. The Ministry of Electronics and Information Technology (MeitY) is working diligently to finalize the rules by April 2025, following extensive consultations that began in January. These rules are crucial for operationalizing the DPDP Act, which was passed two years ago, and will provide a transition period for industries to adapt.
Key concerns raised during the consultation process include data localization requirements and verifiable parental consent for processing children's data. Industry bodies have expressed reservations about these provisions, emphasizing the need for a balanced approach that safeguards privacy while fostering innovation.
This development is particularly relevant for professionals Information Security Auditors, who are deeply invested in information security and regulatory compliance. The primary concern lies in understanding how these rules will affect the industry, particularly regarding implementation hurdles and associated compliance expenses.
What are the key provisions of the DPDP Act?
The Digital Personal Data Protection (DPDP) Act introduces several key provisions to strengthen data protection and privacy in India:
Rights of Data Principals:
• Right to access, correct, and erase personal data.
• Right to revoke consent for data processing.
• Right to grievance redressal for improper handling of data.
• Option to nominate a consent manager for data-related requests.
Obligations of Data Fiduciaries:
• Obtain explicit consent before processing personal data.
• Ensure data security and transparency in handling.
• Comply with regulations on data storage and transfer.
Data Localization:
• Significant Data Fiduciaries (SDFs) may be required to store certain categories of data within India.
Children's Data Protection:
• Verifiable parental consent is mandatory for processing data of individuals under 18 years.
Regulatory Framework:
• Establishment of the Data Protection Board to oversee compliance and enforce penalties.
Extraterritorial Scope:
• Applies to entities outside India if they process data of Indian residents while offering goods or services.
These provisions aim to balance individual privacy rights with the operational needs of businesses.
Comparison of DPDP and GDPR
Scope:
DPDP Act: Focuses exclusively on digital personal data and applies to entities processing data of Indian residents, including foreign entities.
GDPR: Covers all personal data, both digital and non-digital, and applies globally to entities processing data of EU residents.
Consent:
DPDP Act: Requires explicit consent for data processing, with mechanisms for withdrawal.
GDPR: Also mandates explicit consent but includes stricter conditions for processing sensitive data.
Children's Data:
DPDP Act: Sets the age of consent at 18 and requires verifiable parental consent.
GDPR: Sets the age of consent between 13-16, depending on the member state.
Data Localization:
DPDP Act: Allows data transfers to trusted jurisdictions but may mandate localization for certain categories.
GDPR: Permits data transfers outside the EU only to countries with adequate protection or through specific safeguards.
Regulatory Oversight:
DPDP Act: Establishes the Data Protection Board of India.
GDPR: Employs independent supervisory authorities in each EU member state.
Penalties:
DPDP Act: Imposes tiered penalties up to ₹250 crore.
GDPR: Fines can reach €20 million or 4% of global turnover, whichever is higher.
These differences reflect the distinct legal, cultural, and economic contexts of India and the EU.
Copyright 2024, All Rights Reserved | Web Designed by Spiderline