Our Partner, Dr. Abhimanyu Chopra has shared his insightful views with ET Legal World in its article “DPDP Act rules set for public consultation; compliance and exemption key challenges”.

Read the complete Article at :https://legal.economictimes.indiatimes.com/news/law-policy/dpdp-act-rules-set-for-public-consultation-compliance-and-exemption-key-challenges-says-experts/112720130

Last year, The Digital Personal Data Protection Act, 2023 (DPDP Act) was enacted for regulating the collection, storage, use and processing of personal data. The act will be taking effect after the government notifies rules which is likely to be released for the public consultation by the end of August.

The Central Government, basis a myriad of reviews, discussions and deliberations both, public and regulatory, intends to exercise its rule-making authority under the Act in the following four major areas. -Abhimanyu Chopra, partner, AZB & Partners.

The DPDP Act is intended to provide for the processing of digital personal data in a manner that recognises both the right of individuals to protect their personal data and the need to process such personal data for lawful purposes. The objective states the purpose of processing of digital personal data on which the “rules will dictate how entities obtain consent, the legitimate uses of data without consent and standards for exempted research bodies,” said Abhimanyu Chopra.

He adds, “The provisions of the DPDP Act apply to all kinds of personal data and does not envisage sub-categories of personal data like sensitive personal data or critical personal data, and therefore, the requirements therein uniformly applicable to all forms of personal data dehors the nature or type of the said personal data.”

He further highlighted, “Currently, this approach deviates from the current Indian data protection law contained under in Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data of Information) Rules, 2011 where there is a distinction between ‘personal information’ and ‘sensitive personal data or information’ and prescribes incremental compliance requirements for processing of sensitive personal data or information as the case may be.”

The Section 2(i) of the DPDP Act defines ‘Data Fiduciary’ as any person who alone or in conjunction with other persons determines the purpose and means of processing of personal data. Thus, there is an expectation that “new obligations for data fiduciaries, such as breach notifications and impact assessments, will be detailed through these rules which is very critical to the Act,” said Abhimanyu Chopra.

The recognition of the right of individuals to protect their personal data is an underlying objective of the DPDP Act. The DPDP new “rules will establish how individuals can exercise their rights, including accessing, correcting, and erasing personal data including aspects of minor rights and the regulation of data for KYC acts,” said Abhimanyu Chopra.

The Chapter V of the DPDP Act delineates the functioning of the Data Protection Board. However, the board shall be established by a notification from the Central Government. The DPDP Rules is also expected to come up with “the Rules will also outline the procedures for the functioning of the Data Protection Board of India and the Appellate Tribunal which is key for effective implementation since these board would techno-legal and digital in all sense including administrative as well adjudicatory aspects,” said Abhimanyu Chopra.

He further said, “Overall, the importance of these rules lies in their role in shaping the implementation and enforcement of the Act, impacting how data protection is managed across both the state and private sectors in India and therefore they are eagerly awaited by all stakeholders.”