MeitY releases draft rules of DPDP Act for public consultation. Here are key points 

On January 3, the Ministry of Electronics and Information Technology released the draft rules for the Digital Personal Data Protection Act. 

These rules have been eagerly anticipated since the Act was passed in Parliament in August 2023. The government is now inviting feedback on the draft rules via the MyGov portal, with the deadline set for February 18, 2025. 

The rules are expected to clarify various aspects of the law, such as data fiduciaries’ notice to individuals, the registration and responsibilities of consent managers, the handling of children's personal data, and more. Additionally, the rules are likely to offer details on the establishment of the Data Protection Board, along with the appointment and service conditions for its chairperson and members. 

Processing of children’s data  

As per the explanatory note, the draft rules outline the requirements for obtaining verifiable consent from parents or legal guardians before processing the personal data of children or persons with disabilities. Specifically, a Data Fiduciary must implement measures to ensure that the person providing consent for a child’s data processing is the child’s parent or legal guardian, and that the parent or guardian is identifiable.

It also lays down rules for utilising children’s data. The processing of children's personal data by these entities is permitted, but it is restricted to specific activities like health services, educational activities, safety monitoring, and transportation tracking. These activities must be necessary for the well-being and safety of the child, ensuring that data processing is done within a defined a limited scope. 

Registration, obligations of a Consent Manager  

As per the draft rules Consent Manager must be a company incorporated in India with sound financial and operational capacity, having a minimum net worth of Rs 2 crore, a reputation for fairness and integrity in its management, and a certified interoperable platform enabling Data Principals to manage their consent. 

The Consent Manager must also maintain independence, with strict rules to prevent conflicts of interest involving its directors or senior management and Data Fiduciaries. 

Issue of services by the State 

The State and its instrumentalities may process the personal data of Data Principals to provide or issue subsidies, benefits, services, certificates, licenses, or permits, as defined under law or policy or using public funds. Processing in these cases must adhere to the specific standards outlined in Schedule II, which ensures lawful, transparent, and secure handling of personal data for such purposes. 

Setting up of Data Protection Board 

The rules also proposed as the establishment of Data Protection Board as a regulatory body. It will operate as a digital office, with remote hearings and will have powers to investigate breaches, enforce penalties and so on. 

Speaking on the draft DPDP rules, Kazim Rizvi, Founding Director, The Dialogue – a thinktank – said, “The DPDP Rules provide essential guidance for implementing the legislation. However, advancing the framework requires multi-stakeholder discussions to offer deeper insights into its application, fostering innovation while safeguarding the rights of data principals. Key areas that demand further attention include verifiable consent mechanisms, cross-border data transfers, and breach notification processes." 

The rules also need to address challenges posed by emerging technologies like Artificial Intelligence, Rizvi said. "Furthermore, the central government retains the authority to restrict the cross-border transfer of specific personal data by significant data fiduciaries. Rule 15 does not explain the exemptions under Section 17(2)(B) related to research, archiving, or statistical purposes, leaving ambiguity around whether AI models trained on personal data for research are covered by these exemptions,” he added. 

MeitY has invited feedback/comments from its stakeholders on the draft rules. The draft rules along with explanatory notes are available to facilitate ease of understanding are available on ministry’s website at www.meity.gov.in/data-protection-framework.  

The feedback/comments on the draft rules in a rule wise manner may be submitted by February 18.