Clarity on the procedure to obtain consent from users for personal data processing and details regarding children’s data are among the most anticipated aspects of the Digital Personal Data Protection (DPDP) Act’s rules, industry experts told businessline.

The DPDP Act is India’s data protection law that seeks to regulate the processing of people’s personal data by entities, termed by the law as “data fiduciaries.” Although the Act was passed by the Parliament in August 2023, many industry stakeholders still eagerly await notification of the DPDP Rules for further clarity on various provisions of the law.

According to Aparajita Bharti, Co-Founder of the public policy consulting firm Quantum Hub, companies are particularly looking for clarity on compliance procedures for consent and notice, data processing of children’s data and other “as may be prescribed sections” of the Act.

“The main issues that the Rules need to resolve are specific use-cases like child data and parental consent. What will qualify as ‘verifiably safe’? That clarity will really help the industry, especially those platforms where there are users under the age of 18 years,” said Bharti.

As per the DPDP Act, data fiduciaries must obtain verifiable consent of a parent or guardian of a child before processing the minor’s personal data. However, the law also stated that the consent must be obtained in a manner “as may be prescribed,” leading entities to wait for the DPDP Rules for further clarity on this front.

Similarly, Sreenidhi Srinivasan, partner at the legal and public policy firm Ikigai Law, said that some companies want to understand the procedure to notify the Data Protection Board of any data breaches. The procedure to inform the Board on this front was also left to the Rules in the as-may-be-prescribed section.

“While several companies have started preparatory work towards compliance, they hope the Rules will offer clarity on the process of notifying data breaches to the Data Protection Board and individuals as well as clarity on data retention timelines,” said Srinivasan.

Meanwhile, Mishi Choudhary, Founder of the digital rights advocacy group SFLC.in, said that the time for the implementation of the rules is the most important information for businesses to plan for the DPDP rules.

“The time for implementation is crucial for anyone to fix their practices to comply with the law,” she told businessline.

Choudhary also hoped for the Rules to elaborate on the exemptions granted to certain data fiduciaries or class of data fiduciaries, including start-ups, by the law. The DPDP Act allows the central government to issue a notification exempting certain data fiduciaries from certain provisions such as obligations for sending notice for user consent, accuracy of personal data collected, erasure of data after fulfilling purpose, processing of children’s data, user’s right to information about personal data. These exemptions will be granted based on the volume and nature of personal data processed by an entity and thus require more clarity in the Rules, said Choudhary.

“Any law is only as effective as it’s enforcement. GDPR has established itself as gold standard because enforcement is swift and fines are large. Only if the Board, established under the Act can act quickly, decisively, the Act will do the job required,” said Choudhary.

Related Topics