Under the Digital Personal Data Protection (DPDP) Act, big tech companies and multinational corporations (MNCs) can be directed to undertake one data protection impact assessment every year, sources said.
This obligation was conveyed to the industry on December 20 during a meeting on the DPDP Act, convened by the Ministry of Electronics and Information Technology (MeitY).
Minister for State for Electronics and Information Technology Rajeev Chandrasekhar chaired the meeting and it was attended by representatives of social media companies such as Meta, Google, Snap, representatives of IT companies and lawyers.
According to the law, the central government can notify any data fiduciary as a significant data fiduciary (SDF) based on the volume of personal data it processes, the potential risk this processing may have on users, risk to democracy, and so on.
So, for all purposes, major MNCs, and big tech platforms can be notified as SDFs by the government.
Also read: Explained - What the Digital Personal Data Protection Bill means for you
Such platforms, under the Act, will have additional obligations such as conducting data protection impact assessments, data audits and appointing data protection officers (DPOs).
The rules will define the contours of the DPDP Act, which became a law in August after it was passed in Parliament.
The ministry is expected to make the rules public in the next few days, and post that, the government will give the industry a week to get their feedback on the draft rules, sources said. The government plans to notify the rules by January 2024.
During the meeting, it was conveyed to the industry that the government will not prescribe the qualification eligibility criteria for the appointment of DPOs.
Exemptions for children's data processing?
Apart from that, during the meeting which lasted for more than an hour at the Shram Shakti Bhavan in New Delhi, discussions were held on other provisions of the Act, such as processing of children's data.
Sources said that attendees were told that educational institutions and health institutions can be exempted from the age-gating norms that are prescribed for processing children's data under the Act.
These exemptions from restrictions on children's data processing are likely to be included in a schedule that will be released by the ministry as part of the data protection rules, Moneycontrol has learnt.
Three sources who attended the meeting confirmed, on condition of anonymity, that the details have not yet been made public. A government official, however, denied the same.
The government has also informed the industry that the consent for processing children's data has to be taken from the "actual guardian", ie., the person who is responsible for the child. The onus has been put on the industry on a "best effort basis" to trace such guardians, a source said.
The DPDP Act defines a child as someone below the age of 18, and mandates that parental consent is required to process the data of a child. The law also puts a bar on tracking children or behavioural monitoring or targeted advertising at children.
These provisions have evoked concern from members of the civil society and industry alike. They had argued earlier that such imposition of restriction on processing children's data may curtail innovation.
Notice to not be very descriptive
Discussions were also held on the "notice" that platforms have to provide users in order to obtain consent for processing personal data.
According to the law, users will receive a “notice” from platforms, in English or in any of the major languages of the country. This notice will state the exact personal data of the user that is going to be processed, the purpose, process of grievance redressal, and so on.
During the meeting, attendees were informed that the government can share a model template on how the notice should look like.
The industry was informed to be not too detailed in the notice when it comes to listing out the purposes for processing a user's personal data.
Sources said that the government also informed that the "notice" will hold evidentiary value, and even if a user invokes the Right to Erasure of data, then the notice should be retained.
Discover the latest Business News, Sensex, and Nifty updates. Obtain Personal Finance insights, tax queries, and expert opinions on Moneycontrol or download the Moneycontrol App to stay updated!
