Consent, breach reporting discussed in data protection talks
The draft DPDP Rules, released for public consultation on January 3, are crucial for implementing the DPDP Act, which was notified in August 2023 but remains to be enforced
Companies are not obligated to use government-issued identity documents to obtain parental or guardian consent for processing children’s data under the Digital Personal Data Protection (DPDP) Act or the proposed rules, senior officials from the ministry of electronics and information technology (MeitY) told stakeholders during a Mumbai consultation on Monday.
IT secretary S Krishnan led the consultation, joined by additional secretary and UIDAI CEO Bhuvnesh Kumar, and head of MeitY’s cyber laws division Deepak Goel. Unlike the New Delhi consultation on January 14 that drew more than 300 attendees, Monday’s meeting focused on banking, fintech, and healthcare, with fewer than 50 participants including representatives from HDFC Bank, Johnson & Johnson, Sony, and Lionsgate.
The draft DPDP Rules, released for public consultation on January 3, are crucial for implementing the DPDP Act, which was notified in August 2023 but remains to be enforced.
Officials acknowledged that obtaining verifiable parental consent (VPC) presents significant challenges, explaining that the draft rules were intentionally left open-ended to allow industry-led solutions to evolve. Krishnan emphasised the importance of maintaining data minimisation principles while seeking VPC, according to two sources who spoke to HT on condition of anonymity.
Consent dominated discussions, particularly regarding legacy data processed under the Sensitive Personal Data or Information Rules, 2011. Under SPDI Rules, consent is required only for processing sensitive personal data, whereas the DPDP Act requires consent for all personal data processing. This raises questions about data that companies currently hold without consent under SPDI Rules but now requires it.
Stakeholders raised numerous questions about consent managers, including their about their functioning and business model. One official suggested that revenue would likely come from service providers rather than users, as the ministry doubted users would pay for consent processing.
At least two stakeholders noted that current RBI regulations restrict account aggregators to processing financial data only. Similar sectoral limitations exist for health data consent managers, prompting questions about whether consent managers would be sector-specific or interoperable across sectors.
MeitY officials emphasised that consent managers cannot belong to the same group entity as an existing data fiduciary to avoid conflicts of interest. They stressed that consent managers must remain “data blind” except for consent-gathering purposes.
Regarding breach reporting, stakeholders urged harmonisation with existing regulatory requirements. One suggestion proposed a unified portal for reporting all breaches, accessible to relevant regulators and adjudicators. MeitY was “adamant” that companies must inform users of breaches immediately, sharing all available information as stakeholders asked if this intimation could be sent after companies had taken remedial measures.
An IIT professor inquired about exemptions for services that the institute provided to the government, and if data processing for research and academic purposes would be exempted.
At least one participant said that data protection impact assessments for significant data fiduciaries should be required only when the company introduces a new product, or changes a process, rather than once every twelve months as proposed in the rules. Participants also sought for clarification on algorithmic software due diligence requirements.
Stakeholders requested MeitY to prescribe data retention periods beyond the currently specified e-commerce platforms, social media sites, and gaming platforms.