Data rules raise privacy concerns

The Draft Digital Personal Data Protection Rules have evoked a mixed response and some feel that some parts of the rules go against the concept of privacy itself.

The Digital Personal Data Protection Act received Presidential assent in August 2023, while the Rules, released recently, are in the public domain for comments.

Except for few aspects the Rules are more of a reiteration of what was said in the Act. The key and main features of the new law is the Notice that has to be given by the Data Fiduciary (person who determines the purpose and means of processing personal data) to Data Principal (the individual to whom the personal data relates). Notice plays a key role in the new law and the Rules were expected to provide guidance and formats to facilitate uniform compliance.

However, it appears that the law-maker does not want to specify any format and has left it open to the Data Fiduciary subject to mandate of complying with the requirement of the Act and Rules.

This is likely to create issues in the future as to whether the notice meets the requirements of law.

If a bank is collecting personal data for sanction of a loan, it would collect PAN Card, Aadhaar Card, Income Tax Returns, Salary Slips, etc.

Notice has to be given by the borrower about the information collected, purpose of its use, etc.

A link to the website or app of the bank has to be provided to enable the borrower to withdraw consent or for exercise of his rights or make complaints to the Data Protection Board.

This is however subject to any other Law which mandates retention of such data for a specific period.

Consent

Section 6 of the Act deals with consent and provides that it must be free, specific, unconditional and unambiguous with a clear affirmative action.

Here again, the Rules do not indicate any format for consent and it is up to the data fiduciary to ensure that the consent is collected in accordance with the Act.

Consent Manager

The Rules deal with registration and obligations of a consent manager. The consent manager is a person registered with the Data Protection Board and who will act as a single point of contact to enable the individual to give consent; manage and review consent as well as withdraw consent through an interoperable platform.

The role of state

A key aspect of the Act and Rules is the role of the state. Government may process personal data for the purpose of giving subsidies, benefits, certificates, licenses, permits, etc. When it comes to the state and its instrumentalities, the concept of individual privacy is given a go by. There is no notice or consent where the individual has previously consented to the processing of personal data or such personal data is already available with the state.

The only caveat is that the state should process the data as per the standards set out in the Second Schedule to the Rules. These are very general in nature and are not as stringent as are applicable to non-state parties.

Erasure of Data

The Act and Rules deal with erasure of data. Rule 8 deals with classes of persons set out in Schedule III who collect personal data and specifies the time period by which the data collected should be erased unless its retention is necessary for compliance with any law.

For example, an e-commerce entity having not less than two crore registered users in India must erase the data within three years from the date on which the individual last approached the website for the purpose of performance of the specified purpose or exercise of her rights or commencement of the DPDP Rules whichever is latest.

Child Gating

The data fiduciary must implement measures to ensure that the person providing consent for the child’s data processing is the child’s parent or legal guardian and further, the parent or the legal guardian must be identifiable. The rules give various examples for implementing this requirement.

Currently, social media sites such as Facebook accept users of age 14 and above and they do have policies for protection of minors.

There are instances where children to be relevant amongst their friends or on account of FOMO specify an adult birthdate in order to become a user.

Under these new rules, the child would require the parent’s consent indirectly since the identity of the parent will have to be verified.

Either the parent may simply refuse to provide the verification to enable the child to join or the parent would probably be part of the same social media to have an eye on the ward. Given the peer pressure, the child may start unethical practice of declaring false age at a very early stage.

However, these rules are not new to the world. Under the Children’s Online Privacy Protection Act (COPPA), a US Federal Law, online operators have to obtain verifiable consent from the parents before collecting or using or disclosing the child-related information.

GDPR-K is the portion of GDPR governing children’s privacy. This requires apps or sites directed at children under 16 (or younger depending upon the EU country) to obtain verifiable parental consent.

The writer is an Advocate & Tax Consultant

Related Content

IOB invites EOIs for ₹11,500-cr NPA sale via e-auction

Route to profitability: Air India aims to save Rs ₹1,800 crore via asset optimisation

HAL to take call on grounded ALHs on Friday, says their flying safety records are better in comparison to global standards

Leave a Comment

Stay updated with Win99Update for the latest in tech, online earning, and digital trends. Explore practical tips and insights to thrive in the digital world.

Categories

Tech Trends

Science & Space

Finance Tips

Cryptocurrency

Online Earning

Health & Fitness

Quakes Links

About Us

Contact Us

Piracy Policy

Terms and Conditions

Contact Us

Phone: +91 9090909099

Email: info@example.com

© Win99update.com • All rights reserved