The Data Protection Board itself will be ‘born digital’, with a digital platform and app to enable citizens to approach it digitally and to have their complaints adjudicated without their physical presence being required
Stating that adequate time would be given to all entities to adapt their systems to meet the requirements, a government official said processing of digital data on the basis of consent given before the coming into force of the new law was permitted. Image for representation. | Photo Credit: Getty Images
The draft Digital Personal Data Protection Rules seek to protect citizens’ rights in accordance with the Digital Personal Data Protection Act, 2023, while achieving the “right balance between regulation and innovation”. Adequate time would be given to all stakeholders, from small enterprises to large corporates, for the smooth transition to achieve compliance, according to the Union government.
As provided, the Data Protection Board itself will function as a digital office and will be “born digital”, with a digital platform and app to enable citizens to approach it digitally and to have their complaints adjudicated without their physical presence being required.
People can share their feedback on the draft through the MyGov portal at the link https://innovateindia.mygov.in/dpdp-rules-2025 till February 18. “In addition, structured interaction for feedback with identified stakeholders, such as civil society, industry and government organisations, would also be organised to gather feedback. All feedback/comments will be taken into consideration while finalising the rules,” an official said. The final rules as notified will also be placed before Parliament.
Also Read | IT Ministry notifies draft rules on data protection law, seeks feedback by February 18
Stating that adequate time would be given to all entities to adapt their systems to meet the requirements, the official said processing of digital data on the basis of consent given before the coming into force of the new law was permitted. Such processing could continue while citizens were given notice of it so that they could exercise their rights under the law.
“While clear obligations have been cast on ‘data fiduciaries’ to protect personal data in accordance with the law, prescriptions have been kept to a minimum and compliance burden has been kept low by enabling compliance through digital means. While the entities will prepare themselves for compliance with the law during the period given for adapting their systems, widespread awareness initiatives will be undertaken to educate the citizens about their rights on their personal data,” the official said.
Under the rules, digital platforms will have to inform and take the consent of people in a language of their choice — either in English or in any of the 22 Indian languages listed in the Constitution. They would also have to notify their users of the online links using which they may exercise their rights for withdrawing their consent, obtaining information regarding processing of their data, updating and erasing their data, grievance redress, nomination, and making a complaint to the Data Protection Board.
Also Read | Data Protection rules balance regulation & innovation while safeguarding citizens’ rights: Vaishnaw
The data fiduciary is required to adopt technical and organisational measures to ensure that verifiable consent of the parent is obtained for processing personal data of a child. The Act provides for graded financial penalties in case of the violation of the Act and the rules.
“The quantum of penalty would depend upon the nature, gravity, duration, type, repetitiveness, efforts made to prevent breach, etc. Further, significant data fiduciaries have higher obligations under the Act and rules, while a lower compliance burden is envisaged for startups. Therefore, any penalty imposed for defaults would be fair and proportionate,” the official said.
The Data Fiduciary may at any stage in the proceedings voluntarily provide an undertaking to the Data Protection Board which, if accepted by the Board, would result in the dropping of proceedings.
The Act and the draft rules do not mandate that all personal data has to be stored within India. However, they provide that transfer of personal data outside India may be restricted for certain classes. The draft rules envisage a committee that may recommend restriction on such transfer by a significant data fiduciary with respect to specified personal data, the government said.
Published – January 05, 2025 06:12 pm IST
aniltikotekar4sme.com 