Big Tech platforms will be required to verify that algorithms deployed by them for processing personal data do not pose any risk to users, the draft rules of the Digital Personal Data Protection (DPDP) Act says.
Importantly the draft also proposes that Big Tech firms cannot transfer personal data specified by the government outside the country.
The draft rules were released on January 3 for public consultation. The government will be accepting feedback till Februray 18.
The DPDP Act, passed in the Parliament in August 2023, said that the government can notify any data fiduciary as a significant data fiduciary based on the volume of personal data that it processes, the potential risk that this processing may have on users, risk to democracy, and so on.
So, for all purposes, major MNCs, and big tech platforms can very well be notified as significant data fiduciaries.
Section 12 of the DPDP Rules lists out the additional obligations that these platforms will have to comply with, including the one on ensuring the safety of the algorithm, and restrictions pertaining to transfer of personal data.
The rule 12(3) says, "A Significant Data Fiduciary shall observe due diligence to verify that algorithmic software deployed by it for hosting, display, uploading, modification, publishing, transmission, storage, updating or sharing of personal data processed by it are not likely to pose a risk to the rights of Data Principals."
Rights of Data Principals, according to the DPDP Act include right to information, right to access, right to erasure, to object, redress and so on.
Provisions surrounding algorithms were earlier expected in the now-shelved Digital India Bill. The bill was to replace the over-two-decade-old Information Technology Act, 2000.
The rule 12(4) says, "A Significant Data Fiduciary shall undertake measures to ensure that personal data specified by the Central Government on the basis of the recommendations of a committee constituted by it is processed subject to the restriction that the personal data and the traffic data pertaining to its flow is not transferred outside the territory of India".
This provision mandates that certain personal data, as determined by the Indian government, must be processed and stored entirely within the country's borders
The other obligations that such Big Tech companies will have to adhere to are --
- Conduct data protection impact assessment and an audit
- Furnish report of data protection impact assessment to the Data Protection Board
Discover the latest Business News, Sensex, and Nifty updates. Obtain Personal Finance insights, tax queries, and expert opinions on Moneycontrol or download the Moneycontrol App to stay updated!
