FDPPI conducted an event in Bengaluru on July 27 to discuss the proposed draft of the DPDPA Rules which were earlier shared with select parties for comments. MeitY is now in the process of releasing another version for the public for comments. In the meantime FDPPI held the event so that some comments can be sent to MeitY for incorporation in the immediate next version. The event was attended by over 100 professionals most of them physically and contributed to the discussions. Invitations had been sent to MeitY also and we believe that there were observers from MeitY in the virtual meeting.
The participants were presented with 5 panel discussions and three key notes and were also asked to share their views through a google form. Though not all of them have yet filled up the google form, the responses received indicate the trend which we are sharing here.
We are now sharing the same form publicly so that any body including those who did not attend the event can contribute their views. To submit your views you may need to refer to the draft rules at www.dpdpa.in/dpdpa_rules/ . The Act itself is easily available at www.dpdpa.in
There are some professionals who would not like to comment since the draft rules discussed are not branded as “Official”. It is their choice to wait for the next version or raise their voice now itself with the rest of the industry so that the next version itself can incorporate some of these views.
Some of the interesting observations so far received are as below.
Out of the 40 questions shared, the following questions got 100% yes response.
Q2: Was it necessary to notify the definition of Significant Data Fiduciary?
Q31. Should Courts introduce a system of listing legal guardianship certificates issued for mentally disabled persons?
Q32. Should UIDAI introduce an age gating service?…clearing a person is not a minor?
Q33. Should UIDAI provide a certificate that the person providing consent for the minor is the legal guardian
Q39. Can Aadhar Based “Age Pass” be a solution for Age gating?
It was interesting to note one question which received a 100% “No” response . It was ..
Q38. Is SEBI mediation platform for dispute resolution the acceptable choice?
Following questions received 80% Yes Response namely..
Q3. Is it necessary to specifically call out a category of “Joint Data Fiduciary” as a class of processors?
Q5. Is it necessary to indicate whether “Subsidiaries” need a separate DPO? or a “Group DPO” would be acceptable?
Q8. Should purpose oriented consent be “Process Based”?
Q10. Can Aadhaar data collection to be restricted by rule to Virtual Aadhaar only even for voluntary submission of data
Q14. Is Legitimate use meant to be used only under very special circumstances?
Q16. Should the Consent Manager be a trusted representative of the Data Principal who based on certain pre-approved rules release the consent in his representative capacity?
Q19. Should Consent Managers be allowed to sub contract any of their services ?
Q20. Should there be a minimum period before which the Consent Manager cannot close down his business?
Q24. Should there be simultaneous reporting of a personal data breach to Data Principal?
Q25. Should there be simultaneous reporting of a personal data breach to CERT IN
Q26. Is 72 hours for detailed data breach sufficient?
There was one question which elicited a 80% “No” response, namely..
Q40. Should Journalists be excluded from Consent and Obligation for protecting the Rights of data principals?
Those of you who want to participate in this Global Survey may access the form and send their views right now in the following link.
https://docs.google.com/forms/d/1IOEgE0bywmrEBENsGI1FFNmwAX8Q7XaDkZvlGRqGqo4/edit?ts=66a362c4
In case responses are received today, they will be added in the collation and sent to MeitY as the “Voice of the Data Protection Professionals”. We will also try to discuss this further for different sectors in the SIGs and keep a continuous watch.
Naavi