The much awaited draft rule on DPDPA for public comments finally was published on January 3, 2025 in the form of a Gazette Notification.
The set of rules follow the pattern that were discussed earlier at FDPPI as Version-1 with some important modifications such as dropping of the model consent form and dropping of the definitions.
The awareness level of DPDPA and the rules are so high at present in the professional circles that a lot of discussions have already started on the rules in the discussion groups. Naavi.org will continue to provide its comments as we go along.
One of the noticeable rule is Rule number 22 accompanied by the schedule 7.
This rule invokes the power under Section 36 of DPDPA 2023 and states
22. Calling for information from Data Fiduciary or intermediary.—
(1) The Central Government may, for such purposes of the Act as are specified in Seventh Schedule, acting through the corresponding authorised person specified in the said Schedule, require any Data Fiduciary or intermediary to furnish such information as may be called for, specify the time period within which the same shall be furnished and, where disclosure in this regard is likely to prejudicially affect the sovereignty and integrity of India or security of the State, require the Data Fiduciary or intermediary to not disclose the same except with the previous permission in writing of the authorised person.
(2) Provision of information called for under this rule shall be by way of fulfilment of obligation under section 36 of the Act.
Under this rule, different officials are proposed to be designated to guide the industry in respect of “Exemptions” and applicability of the Act.
Accordingly an official will be notified to authorize the use of personal data by the State or any of its instrumentalities in the interest of sovereignty and integrity of India or security of state.
Additionally if any official has been authorized under any other applicable law (eg CERT IN) for the purpose of performance of any function under law or for disclosure of information, such official will be the authorized person also under this Act.
Additionally, another interesting observation is that the Government proposes to designate an officer from the MeitY as a person to carry out assessment for notifying any Data Fiduciary or Class of Data fiduciaries as a Significant Data Fiduciary.
This role will be a very important role that defines the applicability of the Act to a large section of the industry. It is possible that a notification may follow on any “Class” of data fiduciaries that may be considered Significant Data Fiduciaries automatically.
DGPSI has covered this requirement by a requirement that a data fiduciary shall develop a self status determination document which will be assessed by the auditor. This requires the data classification to include a “Sensitivity Score” with which the auditor may provide his view.
While we may wait for any further notifications from this officer, organizations need to make their own assessments about the sensitivity of the data processed by them and self determine their status as a Significant Data Fiduciary as proposed by the DGPSI framework.
Naavi
Comments to continue…
