The Indian authorities have released a draft model of the Digital Private Information Security (DPDS) Guidelines for public consultation.
India’s Press Information Bureau (PIB) announced on Sunday that information fiduciaries must provide transparent and easily understandable explanations of how personal data is handled, thereby allowing informed consent.
Residents have the authority to request information erasure, select trusted digital representatives, and access streamlined tools to manage their data.
The act’s underlying principles aim to operationalise the Digital Private Information Safety Act of 2023 by empowering individuals with better data control, allowing them to make informed decisions about processing their information, and granting the right to erasure on digital platforms, while also providing a mechanism for addressing complaints.
In India, corporations operating in the country must implement robust security measures, akin to encryption, access control, and data backup systems, to protect sensitive information and ensure its confidentiality, integrity, and availability are preserved at all times.
Notable provisions of the Data Protection and Digital Preservation (DPDP) Act that information fiduciaries are expected to comply with include:
- The organization shall establish mechanisms to promptly detect and respond to potential security breaches involving sensitive information, ensuring the integrity and confidentiality of data. This will involve regular reviews of logs, monitoring system activity, and implementing automated alert systems to identify suspicious patterns or anomalies.
- Upon occurrence of a data breach, the organization shall provide comprehensive information regarding the chronological sequence of events leading to the incident, measures taken to contain the threat, and the identification of individuals involved, if identified, within 72 hours (or as permitted) to the Data Protection Board (DPB).
- After a three-year lapse, we intend to eliminate confidential data and give individuals a 48-hour notice before the deletion occurs.
- Transparently display on their digital platforms the contact details of the appointed Data Protection Officer (DPO), responsible for responding to all inquiries regarding customer handling of personal data.
- Acquire verifiable consent from parents or authorized guardians prior to processing the private information of minors under 18 years old or individuals with disabilities; exemptions apply only for specific purposes, such as healthcare services, educational activities, security monitoring, and transportation management, in relation to healthcare professionals, educational institutions, and childcare providers.
- Conduct annually a comprehensive DPIA and perform a thorough audit, submitting findings only to vital designated information fiduciaries.
- Federal authorities must ensure compliance with cross-border data transfer regulations, specifying the exact categories of personal information that remain within India’s territorial bounds. A dedicated committee will determine these restrictions.
The revised guidelines propose additional safeguards for residents whose personal information is being processed by government agencies or private companies, mandating that this processing occurs in a manner that is legal, transparent, and aligned with established laws and regulations.
coverage requirements.”
Entities that recklessly disregard the security of individuals’ digital data, failing to protect it or notify the Data Protection Bureau of a breach, may incur substantial financial penalties, potentially reaching up to ₹250 crore ($30 million).
Until February 18, 2025, the Ministry of Electronics and Information Technology is seeking public input on its draft legislation. The submissions will remain confidential and will not be disclosed to any party.
The DPDP Act came into effect in August 2023, following several revisions since its introduction in 2018. Following a landmark 2017 court ruling in India, the data privacy regulation was reinforced by affirming the constitutional right to privacy as a fundamental right under the Indian Constitution.
A significant event has taken place more than a month after the Division of Telecommunications issued the Telecom Cyber Safety Guidelines in 2024, aimed at safeguarding communication networks while enforcing strict rules for information breach disclosures.
Pursuant to newly established regulations, telecommunications entities are mandated to promptly notify federal authorities within six hours of becoming aware of any safety incident impacting their networks or associated companies, with the affected organization furnishing additional relevant details within a 24-hour timeframe.
As well as, telecommunication corporations are mandated to appoint a Chief Telecommunication Safety Officer (CTSO), who must be an Indian citizen and resident of India. They are also required to share visitors’ information – excluding message content material – with the federal authorities in a specified format for “defending and ensuring telecom cybersecurity.”
However, the removal of the Web Freedom Foundation’s proposed definition of “visitor information” and the adoption of overbroad language in the draft may inadvertently create an opening for potential abuse?