Organizations that notice breaches of personal data may have to immediately alert users and flag them to the Data Protection Board, followed by a detailed filing within 72 hours. The government may release draft rules on the matter this week, a person aware of the matter said.
The first report to the board must specify the nature of the breach, its location, duration, amount of data involved and its potential impact, while the detailed report must include the circumstances and reasons that led to the breach, and steps to mitigate risk to users and prevent a repeat.
The rules may also envisage a consent artifact architecture—essentially, an electronic method for data principals (users) and data fiduciaries (companies handling data) to notify each other on giving or withdrawing consent on data use, and managing or reviewing that consent.
The Digital Personal Data Protection (DPDP) Act, India’s first law on data protection, took effect in August, and upcoming rules under the Act will lay the ground for compliance by technology companies. The Act has set penalties of as much as ₹250 crore in case of a data breach. For the average user, the rules put in place rights to access their information by any entity, withdrawal of consent, and enable mechanisms to correct or erase personal data and mechanisms of redressal in cases of breach.
Legal experts pointed out that proposed rules may increase compliance burden, since companies already have to report breaches to the Indian Computer Emergency Response Team (Cert-In), the government agency that coordinates cybersecurity efforts, within six hours.
“Organizations will have to do triple reporting of cybersecurity incidents. Such a regulatory situation increases the burden heavily on a company, wherein the companies, on a bad day, should ideally put in all their efforts towards the breach itself. Instead, compliance itself will take up too much effort,” said a senior partner at a law firm, who did not want to be named.
The consent mechanism needs to be simplified for the average user, a second lawyer said, adding that a linkage would be required in situations where data is willingly given by users, for instance, while doing physical transactions.
“When entering user details in a restaurant, there’s no consent contract being agreed upon. But the user has the right to deny data permission. When consent is given through a transactional manner, it needs to have a simplified linkage mechanism for data consent. But in its absence, this may pose challenges,” the lawyer said.
The rules may also propose to develop a mechanism for verifiable consent from a parent or legal guardian for processing data of people under 18 years of age. The rules suggest use of reliable details that the data fiduciary may have, or by using digital tokens that provide details of the parent or guardian, which would be authorized by the government, or through a digital locker service provider. At the moment, the government has its own DigiLocker facility that is used by a large number of people.
The rules also propose that data fiduciaries need to give notice to users for seeking consent for processing of user data, which must contain itemized description of the personal data being used by the fiduciary, the purpose of the processing, and services or goods that the processing will provide the user. A declaration that only the particular personal data that is needed to be processed for the purpose, will be processed.
A record of each notice seeking consent for processing the personal data must be maintained by the company till expiry of the consent period. For consent that has been given prior to the enforcement of the rules, the data fiduciaries have to inform users again.
The rules also suggest the concept of consent managers, which are Indian companies with net worth of over ₹2 crore, maintaining records for seven years and are barred from subcontracting any performance or compliances.
Minister of state (MoS) for electronics and information technology (IT) Rajeev Chandrasekhar had told Mint in an interaction last month that the government intended to issue the draft rules for public consultation in early January, which will provide details on “consent management, age-gating and other areas.” He had said that entities will get a sufficient timeline to comply with the rules, where Big Tech may get a six-month window while government bodies and small companies may get a window of 12 to 18 months to comply.