Government To Notify Data Protection Board, Finalise Rules Soon

The Indian government is taking steps to establish the Data Protection Board (DPB) as a key component of the country”s new privacy law. The DPB will serve as a data regulator with the authority to investigate privacy breaches and impose penalties as outlined in the Digital Personal Data Protection (DPDP) Act of 2023. Rajeev Chandrasekhar, the Minister of State for Electronics and IT, has announced that the government will soon notify the DPB, including the appointment and recruitment rules for its chairperson and members.

The government is currently working on defining criteria for the selection of DPB members and developing operational guidelines for the board”s functioning. The DPB”s role is crucial in ensuring data privacy and security, as it will investigate violations and enforce penalties as specified in the DPDP Act. The DPDP Act, which recently became law, introduces a consent framework that allows companies and businesses (data fiduciaries) to process personal data only with explicit consent from users. It also empowers the government to specify geographical restrictions on data processing while allowing data to flow freely to other jurisdictions.

Notably, the DPDP Act includes provisions for substantial penalties, with fines of up to Rs 250 crore per data breach instance and a maximum penalty of Rs 500 crore for repeated violations. The law also imposes strict norms for the protection of children online and provides for blocking platforms that repeatedly violate the law.

Regarding the classification of “significant data fiduciaries,” the law specifies the types of parameters that will be used, but the actual parameters will be determined periodically by the government. Data fiduciaries classified as significant will also be required to conduct data protection impact assessments, and rules for this process are being formulated. Data fiduciaries will need to provide fresh notices for obtaining consent, and industry feedback will be sought in the process of seeking such notices. Significant data fiduciaries will also undergo data audits, ensuring their compliance with the law”s requirements.

While the Act does not prescribe specific qualification criteria for data protection officers, it places responsibility on the board of directors to ensure that they act in the best interests of data principals. The consent management ecosystem is expected to evolve, with the industry exploring digital tools to streamline the consent-seeking process.

Additionally, the Act grants individuals the right to nominate their representatives, a process that can be initiated and changed at any time. The government plans to discuss these matters further in industry consultations. The Indian government is actively working to implement the DPDP Act, establish the Data Protection Board, and define the rules and procedures necessary for safeguarding data privacy and security in the digital age. Stakeholder consultations and expert opinions will play a significant role in shaping the regulatory framework.