Mint Explainer: The digital personal data protection Act, its rules, and roadblocks

livemint.com:

Subscribe to enjoy similar stories. Companies waited nearly two years for the Indian government to frame rules for implementing the Digital Personal Data Protection Act—a threadbare legislation with a lot of queries on compliance mechanisms left unanswered.

The ministry of electronics and information technology’s (Meity) draft personal data protection rules published on Friday for public consultation are extensive. But they leave some questions hanging and raise a few concerns.

Mint explains: The DPDP Act considers “consent" as the primary factor for processing an individual’s “personal data". However, such consent is required to be “free, specific, informed, unconditional and unambiguous".

Moreover, the consent has to be limited for the “specific purpose" for which it is obtained. Rule 3 in the draft published on Friday provides clarity on the format of the notice under which consent can be obtained: it requires the description of the personal data to be collected, the specified purpose of the data collected, and the provision of a link to exercise the individual’s rights under the DPDP Act.

Concern: In emphasizing the “specified" purpose of the data, the legislators have created an overlap with the provisions of “Legitimate Use" under the DPDP Act, which allows data fiduciaries (controllers or organisations that handle personal data) to process personal data in cases “where the data principal has voluntarily provided her personal data to the data fiduciary, and in respect of which she has not indicated to the data fiduciary that she does not consent to the use of her personal data". In other words, if a data fiduciary has to elaborate all required uses of an individual’s personal data under, the provisions of