India's digital privacy law now operational: How it affects you?
What's the story
India's first-ever digital privacy law, the Digital Personal Data Protection (DPDP) Act, has come into effect. The government has issued rules under the DPDP Act, giving companies and other stakeholders up to 18 months to comply with these guidelines. Consent managers have been given up to 12 months to register as representatives of users under this new legislation. So, what does it say? Let's find out.
User rights
New rules mandate transparency and user control
The new rules require social media and internet intermediaries, as well as companies dealing with user data, to provide an itemized description of personal data to users. This is aimed at obtaining their consent and specifying the purpose of data usage. Companies also have to let users withdraw their consent for personal data processing or file a complaint with the Data Protection Board if they think their rights have been violated.
Regulatory framework
Consent managers and Data Protection Board's role
To become a consent manager, an Indian company has to apply to the Data Protection Board (DPB) and meet conditions notified by the DPB from time to time. The DPB, which will be fully digital and headquartered in New Delhi, will have four members including a Chairperson. If a consent manager fails to meet all obligations at all times, its registration may be suspended by the DPB.
Service categorization
Digital intermediaries classified under new rules
The new rules classify digital intermediaries based on the nature of service they provide. Separate timelines have been set for these platforms to delete a user's personal data, unless its retention is necessary for compliance with any law in force. In case of a data breach, the data fiduciary has to inform the user and DPB about it within 72 hours of becoming aware.
Data processing
Significant data fiduciaries and parental consent
The Indian government will specify the kind of personal data that can be processed by "significant data fiduciaries," under the new rules. A significant data fiduciary will be determined based on how much and how sensitive personal data they process, and the risks they pose to India's sovereignty, integrity, electoral democracy, security, as well as public order. Tech companies are required to implement a mechanism for collecting "verifiable" parental consent before processing children's personal data.
Compliance measures
Data fiduciaries' responsibilities and penalties
The rules also require data fiduciaries to implement security measures to protect personal data, including the encryption, access control, monitoring for unauthorized access, and data backups. They have to offer a clear notice to data principals before processing their data. This notice should include an itemized list of the personal data being collected and a clear description of its purpose for processing. Penalties for non-compliance can go up to ₹250 crore.