New Delhi: More than two years after India’s first data privacy law was passed in Parliament, the Ministry of Electronics and IT (Meity) on Friday brought it into effect by notifying the rules, as well as a four-member data protection board under the Digital Personal Data Protection (DPDP) Act, 2023.
Under the data privacy law, Meity has offered 12 to 18 months to companies for implementing the law on ground. Specifically, companies will get one year until 14 November 2026 to appoint consent managers—who will be the nodal person of authority held accountable for social media platforms seeking consent to users’ personal data for business purposes.
In other cases, companies will have 18 months to implement a mechanism where they have to seek express permission from users before using their data for business purposes, such as targeted advertisements. Companies will also be required to inform the newly notified data protection board within 72 hours in case of data breaches, and also inform users themselves about the same, “without delay”.
Each social media platform and other parties handling user data will also be required to appoint a data protection officer within the next 18 months. Further, companies will need to seek “verifiable” parental consent before using personal data that belongs to users under the age of 18. However, there are exemptions offered in terms of using personal data, such as the real-time location of a child, taking into account underage safety.
The latter was a key demand from industry stakeholders, from the time the DPDP Act’s draft rules were put out.
The DPDP rules, under rule 15, has taken a blacklisting approach to transferring of personal data to other countries, stating that personal data being housed in other countries is acceptable by default, unless specific nations are blacklisted via the Centre’s notifications. However, rule 13(4) has specified that storage of personal data outside India may be restricted if defined so by a special committee, which will include members of Meity, as well as other ministries and government departments.
Industry stakeholders largely welcomed the draft, upon early inspection. “The DPDP rules offer clarity of terms to companies, such as defining the timeline within which the privacy rules are to be implemented. It was also important to clarify exemptions to usage of underage personal data for enabling safety features for children—such as applications that parents use for tracking location, ensuring children see age appropriate content and ads, etc. With these features now notified, a key industry demand has been clearly responded to by the Centre,” said Aparajita Bharti, founding partner at policy consultancy firm, The Quantum Hub.
The data protection board was also notified on Friday, coming into force from 14 November itself. The chairperson of the board will be offered a remuneration of ₹4.5 lakh per month as notified in the gazette, while the other three members will be paid ₹4 lakh per month.
