The government has unveiled the much-awaited Digital Personal Data Protection Rules (DPDP) Rules, 2023, omitting any specific mention of penalty for violation. The proposal comes more than a year after the Digital Personal Data Protection Act, 2023 was approved by Parliament.
Key provisions in the draft rules
The draft outlines procedures for obtaining explicit consent from individuals, including mandatory parental consent for the processing of children’s personal information. Under the rules, entities known as "data fiduciaries" ensure that parental consent is obtained before processing a child’s personal information.
The draft document emphasised the importance of data retention policies, requiring fiduciaries to retain personal data only with consent and mandating deletion thereafter. This applies to a wide range of channels, including e-commerce, social media, and sports organisations.
In addition, the regulation proposes to develop mechanisms for controlling individual consent through independent organisations, overseen by data controllers and separate authorities under the Regulation.
Absence of penal provisions
While the DPDP Act, 2023, mentions penalties of up to Rs 250 crore for data breaches by fiduciaries, the legal framework does not provide for any penalties for violations. This omission has raised questions on the ways in which compliance and accountability.
Public consultation invited
The draft rules, which have been released for public comment, will finally be considered on February 18. Citizens and stakeholders can review the draft law on the MyGov website and submit comments ahead of time if the given has been reached.
The DPDP Act, passed 14 months ago, aims to establish a robust framework for personal data protection in India. However, the absence of penal clauses in the draft rules may spark further debate during the consultation process.
Also read | Stage 3 GRAP restrictions imposed in Delhi-NCR as air pollution worsens
