New Delhi: More than two years after India’s first Privacy Act was passed in Parliament, the Ministry of Electronics and IT (Meity) on Friday brought it into force by notifying the rules as well as the four-member Privacy Committee under the Digital Privacy Act 2023 (DPDP).
Under the Privacy Act, Meity offered companies 12 to 18 months to implement the law on the ground. Specifically, companies will be given one year until November 14, 2026 to appoint consent administrators – who will be the nodal person responsible for social media platforms seeking consent to users’ personal data for commercial purposes.
In other cases, companies will have 18 months to implement a mechanism where they will have to seek explicit permission from users before using their data for commercial purposes, such as targeted advertising. Companies will also be required to notify the newly announced data protection board within 72 hours of a data breach, as well as notify users themselves “without delay”.
Each social media platform and other parties that handle user data will also be required to appoint a data protection officer over the next 18 months. Companies will also have to seek “verifiable” parental consent before using personal data belonging to users under the age of 18. However, there are exceptions to the use of personal information, such as a child’s real-time location, in consideration of the safety of minors.
This has been a key demand of stakeholders in the industry since the draft rules of the DPDP Act were submitted.
The DPDP Rules, in accordance with Rule 15, have taken the approach of transferring personal data to other blacklisted countries and states that the placement of personal data in other countries is acceptable by default unless specific nations are blacklisted through a notification by the Centre. However, Rule 13(4) states that retention of personal data outside India may be restricted if so determined by a special committee which will include members of Meita as well as other ministries and government departments.
After early review, industry stakeholders largely welcomed the proposal. “The DPDP rules offer clarity to companies on terms such as defining the timeline in which privacy rules are to be implemented. It was also important to clarify exemptions to the use of minors’ personal data to enable safety features for children – such as apps parents use to track location, ensuring children see age-appropriate content and ads, etc. With these features now announced, a key industry demand has been clearly addressed by consulting firm Aparajita Center of Bti Quantum Hub.
The Council for the Protection of Personal Data was also informed on Friday, which will come into effect on November 14 itself. The chairman of the board will be offered a reward ₹4.5 lakh per month as gazetted while the other three members will be paid ₹4 million per month.
