The upcoming rules to comply with the Digital Personal Data Protection (DPDP) Act will likely require platforms to address users’ grievances related to their personal data in the 72 hours upon receiving them.
In absence of the same, users will have the right to approach the Data Protection Board to appeal against the non-action of the data fiduciaries and seek remedy, according to draft DPDP rules which have been circulated among the industry groups.
Addressing user grievances promptly by the companies assumes significance given the privacy of users as personal data is being handled by the data fiduciaries. In the notice seeking consent to use personal information, the rules mandate companies to clearly mention the time frame (which should not be more than 72 hours) within which the user grievances will be addressed.
The notice should also include an online link, which can be used by users to appeal to the Data Protection Board in case the companies fail to address user grievances. The companies will have to create a login for users to be able to check all the consent given and make it seamless to withdraw the consent as well.
In case of any breach of personal data, the companies will have to immediately inform the Data Protection Board about that and also send a detailed report including the nature of the breach, duration, data involved in the breach, impact of that, etc, within 72 hours. Similarly, the data fiduciaries are also obliged to inform the users about the details of the personal data breach within 72 hours and if any actions need to be taken on their part, according to the rules.
The DPDP Act was passed by the Parliament in August last year. As per the Act, the firms concerned will need to collect data afresh from users and spell out clearly its purpose and usage. They will be booked for data breach if they depart from the purpose for which it was collected, according to the provisions of the Act. The government will also notify a Data Protection Board that will levy the penalty of up to Rs 250 crore on the company in case of any incidents of data breaches and non-compliance of provisions of the Act.
For implementation of the Act, industry has been awaiting for rules of the Act. The government is expected to release the rules in the next two weeks, after which the companies are expected to get six months to a year’s time to comply with the Act based on the scale of their operations.
As part of the rules, the government will also mandate the platforms such as e-commerce companies, social media intermediaries, and online gaming companies with over 20 million users, to erase personal data of their users if their account is inactive for three years.
The platforms will have to intimate the users 48 hours before erasing the data, and in case a user logins to his or her account, they will be ceased from deleting the data, according to the rules.
One of the challenges flagged by the companies for implementation of the Act, was seeking verifiable consent for children data. With regard to that, the government has included three such ways to seek consent. The platforms can either rely on the details of identity and age available with them or collected with the consent of such users, or they can use token in the electronics form being mapped to the details of such individuals generated either by a government agency or through DigiLocker.
The government has exempted educational institutions, health establishments, and certain government entities from the restrictions on the processing of children’s data, according to the rules.
For healthcare institutions, the exemption is restricted to the provision of healthcare services to a child, whereas educational institutions will be allowed to undertake behavioral monitoring and tracking of educational activities of children.
For significant data fiduciaries such as big tech companies, there will be periodic audit and data protection impact assessment once a year, according to the rules.
For appointment of the chairman and members of the data protection board, there will be a search-cum-selection committee which will involve Cabinet secretary, industry experts, MeitY secretary as its members.
In the rules, there is also a provision of consent managers that will maintain the record of personal data of users for seven years.