Mapping of Section 40 to the Draft Rules notified on January 3, 2025
| Sl No | Section 40 | Description | Draft Rule |
| 1 | (a) | the manner in which the notice given by the Data Fiduciary to a Data Principal shall inform her, under sub-section (1) of section 5; (purpose) | 3 |
| 2 | (b) | the manner in which the notice given by the Data Fiduciary to a Data Principal shall inform her, under sub-section (2) of section 5; ( Rights) | 13 |
| 3 | (c) | the manner of accountability and the obligations of Consent Manager under sub-section (8) of section 6; | 4 |
| 4 | (d) | the manner of registration of Consent Manager and the conditions relating thereto, under sub-section (9) of section 6; | 4 |
| 5 | (e) | the subsidy, benefit, service, certificate, licence or permit for the provision or issuance of which, personal data may be processed under clause (b) of section 7; | 5 |
| 6 | (f) | the form and manner of intimation of personal data breach to the Board under sub-section (6) of section 8 | 7 |
| 7 | (g) | the time period for the specified purpose to be deemed as no longer being served, under sub-section (8) of section 8; | 8 |
| 8 | (h) | the manner of publishing the business contact information of a Data Protection Officer under sub-section (9) of section 8; | 9 |
| 9 | (i) | the manner of obtaining verifiable consent under sub-section (1) of section 9; | 10 |
| 10 | (j) | the classes of Data Fiduciaries, the purposes of processing of personal data of a child and the conditions relating thereto, under sub-section (4) of section 9; | 11 |
| 11 | (k) | the other matters comprising the process of Data Protection Impact Assessment under sub-clause (i) of clause (c) of sub-section (2) of section 10; | 12 |
| 12 | (l) | the other measures that the Significant Data Fiduciary shall undertake under sub-clause (iii) of clause (c) of sub-section (2) of section 10; | 12 |
| 13 | (m) | the manner in which a Data Principal shall make a request to the Data Fiduciary to obtain information and any other information related to the personal data of such Data Principal and its processing, under sub-section (1) of section 11; | 13 |
| 14 | (n) | the manner in which a Data Principal shall make a request to the Data Fiduciary for erasure of her personal data under sub-section (3) of section 12; | 13 |
| 15 | (o) | the period within which the Data Fiduciary shall respond to any grievances under sub-section (2) of section 13 | 13 |
| 16 | (p) | the manner of nomination of any other individual by the Data Principal under sub-section (1) of section 14; | 13 |
| 17 | (q) | the standards for processing the personal data for exemption under clause (b) of sub-section (2) of section 17; | 15 |
| 18 | (r) | the manner of appointment of the Chairperson and other Members of the Board under sub-section (2) of section 19; | 16 |
| 19 | (s) | the salary, allowances and other terms and conditions of services of the Chairperson and other Members of the Board under sub-section (1) of section 20; | 17 |
| 20 | (t) | the manner of authentication of orders, directions and instruments under sub-section (1) of section 23; | 18 |
| 21 | (u) | the terms and conditions of appointment and service of officers and employees of the Board under section 24 | 20 |
| 22 | (v) | the techno-legal measures to be adopted by the Board under sub-section (1) of section 28; | 19 |
| 23 | (w) | the other matters under clause (d) of sub-section (7) of section 28; | – |
| 24 | (x) | the form, manner and fee for filing an appeal under sub-section (2) of section 29 | 21 |
| 25 | (y) | the procedure for dealing an appeal under sub-section (8) of section 29; | 21 |
| 26 | (z) | any other matter which is to be or may be prescribed or in respect of which provision is to be, or may be, made by rules…including who is a Significant Data Fiduciary | 1,2,6,14,22, |
It may be observed that all the rules notified may be mapped to one of the sub sections of Section 40. While some of the rules have schedules for more details, some rules are just a reproduction of the specific section of the Act.
Rule 6 about “Reasonable Safeguards” Rule 14 about Transfer of data outside India” and Rule 22 about officials to be appointed for certain purposes are linked to “Any other matter”. Out of this there could be some grumblings whether “Data localisation” is being brought in through the rules. This is one of the sensitive aspects of the rule since industry wants a free hand to transfer personal data collected in India outside the country including for AI learning and targeted advertising. However Section 16 of the Act can be considered as supporting this aspect.
The Schedule under Rule 22 provides for the means to declare any data fiduciary as a “Significant Data Fiduciary” and covers one of the gaps in the earlier draft version of the rules.
All the 22 rules may perhaps be considered “necessary”. We may continue to comment on each of the rule as to whether the detailing is “Sufficient or Excessive”.
Naavi
