8 years after Supreme Court made privacy a fundamental right, India’s digital personal data protection law set to go live | India News

NEW DELHI: Millions of citizens going online will have guaranteed control over their digital data while social media companies such as Facebook and Instagram will need verifiable parental consent before onboarding children, or those under 18 years, with the govt finally notifying rules to operationalise the digital personal data protection (DPDP) law that was originally passed by Parliament in Aug 2023.The much-awaited rules promise a consent-based regime to safeguard the data of users who go online for social media, ecommerce, gaming, banking, payments, and for availing govt services.Companies and organisations violating the rules will face penalties, up to Rs 250cr for serious failures to protect data and breaches.The rules also require companies to quickly inform users and the new data protection board about any data breach. However, these rules will be implemented gradually.The govt has given an 18-month window to companies for transition, considering the big backend changes they will need to undertake. Any breach must be promptly informed in “plain language, explaining the nature and possible consequences of the breach, the steps taken to address it and contact details for assistance”, the govt said.It also said the law is guided by “seven core principles” — consent and transparency, purpose limitation, data minimisation, accuracy, storage limitation, security safeguards, and accountability.Regarding online data of children, where Big Tech and other major companies had been lobbying for a “liberal” approach, the new law mandates that companies must obtain verifiable consent before processing their personal data, with limited exemptions for essential purposes such as healthcare, education and real-time safety. “For persons with disabilities who cannot make legal decisions even with support, consent must come from a lawful guardian verified under applicable laws.”To obtain verifiable parental consent for onboarding and processing a child’s personal data, companies must adopt appropriate technical and organisational measures to prevent children from accessing services by faking their age or guardians. The rules state that companies need to “observe due diligence, for checking that the individual identifying herself as the parent is an adult who is identifiable if required in connection with compliance with any law”.The new rules also have provisions that allow the govt to restrict transfer of certain data outside the country, which is likely to be a worry for tech giants such as Meta, Google, and Amazon.“A Significant Data Fiduciary shall undertake measures to ensure that personal data specified by the central govt, on the basis of the recommendations of a committee constituted by it, is processed subject to the restriction that the personal data and the traffic data pertaining to its flow is not transferred outside the territory of India,” the rules say, without giving any further details. The committee will be constituted by the central govt and will include officials from the Ministry of Electronics and Technology, apart from other departments and ministries.And, to strengthen the rights of online users, the new law gives the right to individuals to “access, correct, update or erase their personal data” and even nominate another person to exercise these rights on their behalf. “Data Fiduciaries must respond to all such requests within a maximum of 90 days.”For transparency and accountability, companies will need to display contact information — such as that of a designated officer or Data Protection Officer — to let individuals raise queries about personal data processing. Also, companies with a large number of users will have enhanced obligations, including independent audits, impact assessments and stronger due diligence for deployed technologies. “They must also comply with govt-specified restrictions on certain categories of data, including localisation where required.”The law now paves the way for formation of a Data Protection Board that will function as a fully digital institution, enabling citizens to file and track complaints online through a dedicated platform and mobile app. “Appeals against its decisions will lie with the Appellate Tribunal, TDSAT.”