January 13, 2024 | Posted in News
The first set of draft rules under the Digital Personal Data Protection Act, 2023, will be released for a seven-day public consultation in the next two days, the Union minister of state for electronics and information technology, Rajeev Chandrasekhar, said during a public consultation with the industry on Wednesday.
He said rules related to notice and consent mechanisms, processing children’s data, personal data breaches, data retention, and exercising user rights, are among the issues on which rules will be notified in the first week of January.
Several people aware of the proceedings of the two-and-a-half hour-long meeting told HT that multiple companies said a week was not enough, especially given the holiday season because of which global teams might not be available. Chandrasekhar said that the rules are not controversial and do not require much consultation but said that consultation could be extended until the first week of January, HT has learnt.
To be sure, in October this year, union minister for IT Ashwini Vaishnaw had said that all the draft rules under the DPDP Act would be released in one go and would be placed in the public domain for public consultation for at least 45 days. Parallelly, the digital architecture for the Data Protection Board (DPB) will be developed, he had said. The notified rules would then be placed before the Parliament for approval and after that approval, the Board would be put in place. Appointment to the DPB will happen after parliamentary approval for the notified rules, Vaishnaw had said.
In Wednesday’s meeting, Chandrasekhar briefed the industry only on rules that directly concern them and did not give details of rules that relate to the government. HT has learnt that some rules related to the government have been formulated but were not discussed in the meeting. These include the creation of a schedule to exempt government research institutions from provisions of the act under section 17(2)(b), and under section 7(b), requiring the state and its instrumentalities to specify that data collected for providing benefits and subsidies can be used for other purposes, and notifying users when it is used that way.
It is understood that rules related to the registration and functioning of consent managers, and techno-legal measures that the DPB would adopt have not been formulated yet.
The meeting was attended by representatives from Meta, Google, Snap, Samsung, Wipro, Infosys, Amazon, AWS, PayU, Reliance Jio, industry bodies NASSCOM and Fintech Association for Consumer Empowerment, and law firms Khaitan & Co and Cyril Amarchand Mangaldas (CAM), amongst others. HT has learnt that CAM was involved in drafting the rules but it is not clear if it was the only external entity.
‘Verifiable’ consent to process children’s data
Under section 9 of the act, before processing the personal data of a child (anybody under the age of 18) or a person with a disability, data fiduciaries are required to take “verifiable consent” from the parent or the lawful guardian through a prescribed method.
In the consultation, Chandrasekhar said that the method could involve making use of a digital locker, which could be run by the government or a private entity through a collaboration between the two, or through any other “reliable method”. He did not specifically name the MeitY’s own DigiLocker.
To obtain consent of parents or legal guardians, the data fiduciary will collect a digital token which proves certain details about the parent or legal guardian, and their ward. It is not clear if those details would be limited to just the age and identity of the parent/guardian, or would also need to establish their relationship with the child.
An executive from Snap raised a concern about how relationships could be ascertained, and how there were no global standards about it. Chandrasekhar said that it only needs to be “verifiable”, “reliable” and done on a best-efforts basis.
Any private entity that processes tokens under section 9 would need to be authorised by the central government. Currently, the Digital Locker Authority (DLA), which was created under Information Technology (Preservation and Retention of Information by Intermediaries Providing Digital Locker Facilities) Rules, 2016, licenses, empanels and manages digital locker service providers. However, no digital lockers are listed in the DLA directory on its website.
This token-generating entity would function like an intermediary between the parent and the data fiduciary, a person aware of the draft rules explained to HT.
It is not clear if these digital tokens can be mapped back to the parents/guardians at a later date, or how long these digital tokens have to be retained by the data fiduciary and the token-generating entity.
Before the DPDP Act was passed by the parliament and notified by the central government, stakeholders had raised concerns about how getting “verifiable” consent from parents/guardians would necessarily mean getting “verifiable” consent from everybody online, and thus lead to a collection of more than necessary personal data, thereby undermining everybody’s privacy.
Under section 9(3), the central government is also empowered to exempt classes of data fiduciaries from needing verifiable consent of parents/guardians, or from tracking children’s behaviour for purposes that the government can define. In the draft rules, the government has created a schedule of exempted activities which include daycare services, educational services, transportation services to transport children to educational institutions, and provision of state subsidies to children.
At this stage, it is not clear if educational services can also be exempt from educational platforms such as Byju’s.
Digital tokens for consent and notice
Under sections 5 and 6 of the Act, while or before seeking consent, the data fiduciary must also give notice to the user about the purposes for data processing, how the user can exercise their rights, and how they may complain to the DPB. The government is empowered to specify how the user should be notified and how consent should be taken.
To that end, Chandrasekhar talked about the “consent artefact” which was first proposed in October 2016 within the context of the Digital Locker Ecosystem. This “Electronic Consent Framework” governs how digital lockers take electronic consent. Chandrasekhar said that this framework would be updated to harmonise with the DPDP Act but did not provide details of how it would work.
“A consent artefact is a machine-readable electronic document that specifies the parameters and scope of data share that a user consents to in any data sharing transaction,” as per the framework. For this artefact to work, it has to be digitally signed by the user or the consent collector or both. It is not clear if every user online would now have to have a digital signature to access services and content online.
Chandrasekhar did not mention what documents could be used as the source of this consent artefact but in the Framework, Aadhaar, passport, PAN, and mobile number are given as examples of documents on which the consent artefact could be based.
Data to be retained for three years
Under section 8 of the Act, which lays down the general obligations of the data fiduciary, the government is allowed to describe the data retention period for different classes of data fiduciaries and for different purposes.
Chandrasekhar said that for social media companies, e-commerce companies and online gaming intermediaries, this data retention period will be three years. If a user does not log in to these platforms for three years, these classes of data fiduciaries would have to delete the data after notifying the user. These classes of fiduciaries are listed in a schedule which can be amended by the government as and when required.
An executive from Meta asked how companies could comply with law enforcement requests if personal data is to be deleted after three years. Chandrasekhar just said that companies would have to comply with the law enforcement requests for data. Law enforcement requests typically require data to be retained for a longer period. It is not clear if the proposed rule would mean that data fiduciaries would have to pick and choose what kind of and whose personal data to retain for a longer period in case of an eventual law enforcement request, or if they would retain all personal data of all users for a period longer than three years.
It is also not clear if these three classes of data fiduciaries will have to comply with the three-year data retention period only if they have users above a certain threshold or in all cases.
Inform DPB of data breaches immediately
Section 8(6) empowers the government to prescribe the form and manner in which the data fiduciary must inform the DPB and the user about a personal data breach.
In the proposed rules, the data fiduciary will be required to inform the DPB immediately in case of a personal data breach along with details of the scale of the breach. After this immediate notification, the data fiduciary will have 72 hours to give DPB the details of the breach which would include more extensive details of the scale of the breach and the measures that have been taken to mitigate the impact.
Data fiduciaries can seek more than 72 hours to send a detailed report by writing to the DPB but immediate notification is obligatory.
A participant asked how the requirement for immediate notification would interact with the CERT-In direction of 2022 which requires entities to mandatorily report cyber security incidents to CERT-In within six hours of noticing such incidents. It is understood that MeitY officials said that the two are different rules and should not be conflated.
To be sure, types of cyber security incidents that need to be mandatorily reported to CERT-In include data breaches.
The data fiduciary will also have to notify the users of how the individual user has been affected by the personal data breach and the steps they should take to mitigate the impact. No timeline for this notification has been given, HT has learnt. It is not clear how this Rule can be notified without the creation of a Data Protection Board.
Inform users of how to exercise their rights
In Chapter III, the Act gives users four rights — right to access information about personal data, the right to correction and erasure of personal data, the right of grievance redressal, and the right to nominate in case of death or incapacity. The government is empowered to formulate rules for each of these rights.
Under the rules, Chandrasekhar said that all data fiduciaries will have to communicate how users can exercise their rights. They will have to give a link for communication in the notice, on the website and in the app.
Under section 10, a data protection officer has to be appointed by a “significant data fiduciary” (SDF) to act as a point of contact for grievance redressal. There was no discussion of who could be notified as an SDF but one participant asked what the qualification of a data protection officer should be. Chandrasekhar said that the government did not want to be prescriptive and it was up to the companies to appoint one.
The Act allows the central government to notify (not through rules but a simple Gazette notification) data fiduciaries or class of data fiduciaries as significant data fiduciaries based on the kind of personal data they process, risk to users’ rights, impact on sovereignty and integrity of India, national security and public order, and risk to electoral democracy. Such fiduciaries will attract more obligations.
The SDFs are also required to conduct periodic Data Protection Impact Assessments. Chandrasekhar did not share details but said that they would have to be conducted once a year.