Newsearay News:
The Indian government is expected to release draft rules this week that will require organizations to promptly notify users and report breaches of personal data to the Data Protection Board. Under the proposed rules, the initial report to the board must include details such as the nature and location of the breach, duration, amount of data compromised, and potential impact. A more comprehensive report must also be submitted within 72 hours, outlining the circumstances and reasons leading to the breach, as well as steps taken to mitigate risks and prevent future incidents.
Additionally, the rules may introduce a consent artifact architecture, which would establish an electronic method for data principals (users) and data fiduciaries (companies handling data) to notify each other about giving or withdrawing consent for data use. This mechanism would also facilitate the management and review of consent.
These rules, which will be implemented under the Digital Personal Data Protection (DPDP) Act, India’s first law on data protection, aim to ensure compliance by technology companies. To enforce data protection, the Act has set penalties of up to ₹250 crore in case of a data breach. It also grants users rights to access their information, withdraw consent, and seek redressal in case of a breach.
However, legal experts have raised concerns about the potential increased compliance burden on companies. Currently, companies are required to report breaches to the Indian Computer Emergency Response Team (Cert-In) within six hours. With the proposed rules, organizations would have to report breaches to both Cert-In and the Data Protection Board, potentially adding to their workload.
Furthermore, experts argue that the consent mechanism needs to be simplified for average users, particularly in situations where data is willingly provided during physical transactions, such as entering user details at a restaurant. The proposed rules also suggest developing a mechanism for verifiable consent from parents or legal guardians for processing the data of individuals under 18 years of age.
The rules also require data fiduciaries to provide notice to users seeking consent for data processing. This notice must include a detailed description of the personal data being used, the purpose of processing, and the services or goods that will be provided. Companies must maintain a record of each consent notice for the duration of the consent period.
Additionally, the rules propose the establishment of consent managers, Indian companies with a net worth of over ₹2 crore, who would be responsible for maintaining records for seven years and prohibited from subcontracting any performance or compliances.
Minister of State for Electronics and Information Technology, Rajeev Chandrasekhar, has previously stated that the draft rules will address consent management, age-gating, and other areas. He has assured entities that they will be given a sufficient timeline to comply, with Big Tech potentially having a six-month window, while government bodies and small companies may have 12 to 18 months to adhere to the rules.
The Indian government is expected to release draft rules requiring organizations to immediately alert users and report breaches of personal data to the Data Protection Board. The rules may also include a consent artifact architecture, allowing users and companies to notify each other on data use consent. This comes after the implementation of India’s first data protection law in August, which includes penalties of up to ₹250 crore for data breaches. Legal experts have expressed concerns about the increased compliance burden on companies. The rules may also propose mechanisms for verifiable consent from parents or guardians for processing data of individuals under 18 years old. Consent managers and notice requirements for data fiduciaries are also suggested. The draft rules are expected to be issued for public consultation in early January.
Disclaimer: Only the headline and content of this report may have been reworked by Newsearay, staff; the rest of the content is auto-generated from a syndicated feed. The Article was originally published on Source link
