The rules to implement the digital personal data protection (DPDP) Act have been finalised and are set to be released for public consultation by the end of this month, government officials said.
It assumes significance as despite being passed a year back, the implementation of the Act remains dependent on accompanying rules, which are yet to be notified. Bringing out the rules for consultation was part of the government’s 100-day agenda as well, which it completed on Tuesday.
“DPDP rules are ready. They are at the approval stage and will be released for consultation by the end of September,” an official said, adding that the consultation process will be for more than a month.
According to the Act, firms concerned will need to collect data afresh from users and clearly spell out their purpose and usage. They will be booked for data breach if they depart from the purpose for which it was collected.
The government will also notify a data protection board that will levy a penalty of up to Rs 250 crore on a company in case of any incident of data breach and non-compliance with the provisions of the Act.
The Act also makes it mandatory for platforms to get parental consent before using data of children below 18 years of age. However, owing to issues in complying with the same, many companies urged the government for additional time to carry out necessary architectural changes.
A clarity on the method to processing children data also led to the delay in notification of the rules, officials said. Lately, the government asked big tech companies and other data fiduciaries to decide on the parental consent framework themselves.
Earlier, the government was thinking of three ways to seek consent for children data. Platforms can either rely on details of identity and age available with them or collected with the consent of such users, or they can use token in the electronics form being mapped to the details of such individuals generated either by a government agency or through DigiLocker.
Officials in the know said there was difficulty in establishing a parent-child relationship with the Aadhaar in cases of data update. Therefore, the technical feasibility of any of the prescribed solutions seemed difficult.
The government has likely exempted educational institutions, health establishments and certain government entities from the restrictions on processing of children’s data, sources said.
“Whatever extensive consultation is required for rule making, we will do that, similar to the way we did for the telecom Act and DPDP Act,” electronics and IT minister Ashwini Vaishnaw had said in a media briefing in June.