What are ‘Data Principals’ and ‘Data Fiduciaries’ and how do the DPDP rules affect them? Data Principals are individuals whose personal data is being processed, and Data Fiduciaries are the entities that determine how and why this data is processed. The DPDP rules aim to give Data Principals greater control over their personal data. Data Fiduciaries are required to provide identifiers to Data Principals (such as customer IDs or application references) so they can exercise their rights, such as accessing, correcting or erasing their data. These rules also outline specific obligations for Data Fiduciaries regarding consent management and data security.
What are the key rights granted to Data Principals under the DPDP Act, and how can they exercise them? The DPDP Act grants Data Principals several rights, including the right to access, correct, and erase their personal data. Additionally, they have the right to know what data is being collected, why it’s being collected and who it is being shared with, as well as the ability to withdraw their consent. To exercise these rights, Data Principals can use the identifiers provided by Data Fiduciaries. They can also nominate representatives to manage these rights on their behalf. Furthermore, Consent Managers will play a role in helping Data Principals manage their consent.
What are ‘Significant Data Fiduciaries’, and what special obligations do they have? Significant Data Fiduciaries (SDFs) are a subset of Data Fiduciaries that are classified as such by the Central Government. This classification is based on factors like the volume and sensitivity of data they process, the risks to individuals’ rights, and potential impacts on India’s security and democratic processes. SDFs face stricter obligations under the DPDP rules, including enhanced security measures and reporting requirements. These additional obligations are intended to reflect the greater potential impact of their data handling practices.
What role do Consent Managers play in the DPDP framework? Consent Managers are entities that facilitate the management of consent for data processing. They provide a platform for Data Principals to give, manage, review, and withdraw their consent for the processing of their personal data by Data Fiduciaries. This mechanism aims to put individuals in control of their consent and provide a clear audit trail for when consent has been given or withdrawn, making the data processing ecosystem more transparent and accountable. Consent Managers must maintain a net worth of at least two crore rupees, must have sound management and must maintain a reputation of fairness.
What exemptions are granted under the DPDP Act, and why are some experts concerned about them? The DPDP Act grants exemptions for the processing of data for research, statistical, and archival purposes, as long as there are adequate security safeguards. Exemptions are also provided for processing data by the State or its instrumentalities for providing subsidies or benefits when there is prior consent or the data exists in State-maintained records. There is also an exemption for law enforcement purposes when preventing, investigating, or prosecuting an offence. Experts are worried about the broad definition of “instrumentalities of the State” and the potential for government overreach, including the possibility of surveillance under the guise of national security. Furthermore, the Government has been given broad powers to request data which may be used to stifle dissent, as there are currently few robust checks and balances in place.
How does the DPDP Act address the processing of children’s data? The DPDP Act places additional restrictions on the processing of children’s data. Data Fiduciaries are required to obtain parental consent before processing the personal data of children and may not engage in tracking, behavioral monitoring, or target advertising directed at children. Additionally, Data Fiduciaries must not process data which is likely to cause detriment to a child’s wellbeing. The Act allows for certain exemptions which may be prescribed for certain data fiduciaries or for specific purposes of processing.
What are some of the challenges and points of contention regarding the DPDP rules? Several challenges and points of contention have emerged. One major area is the lack of a clear definition for key terms like “instrumentality of the State,” leading to concerns about government overreach. Data localisation is another concern, with fears of future mandatory rules potentially creating unnecessary barriers to cross-border data flows. The concept of ‘vicarious consent’, or the ability to consent on another’s behalf in certain situations, is not directly addressed by the Act. Additionally, the broad terms used to define government powers to request data can be interpreted widely.
How does the DPDP Act and rules compare to the EU’s General Data Protection Regulation (GDPR)? While both the DPDP Act and the GDPR aim to protect personal data, there are key differences. The GDPR provides a comprehensive framework for data protection, focusing on strict consent requirements, the right to be forgotten, and stringent rules for data transfers outside of the EU. The DPDP Act has certain similar features regarding consent and data access, but the Indian legislation also includes broader exemptions for the State, as well as fewer restrictions on cross-border transfers of data, although the issue of data localisation may be revisited in future regulations. The DPDP Act does not currently include explicit provisions regarding the right to be forgotten. It also gives a central government, as well as specific departments of the government, a high degree of control in certain situations.
By
/ February 4, 2025 
