MeitY notifies DPDP Act Rules

• Businesses get 18 months before enforcement and penalties hit.

• Strict mandates on seeking valid consent from individuals.

• Detailed Technical and Organizational measures for data security.

• Data Breach timelines for reporting a personal data breach.

• Exceptions to Healthcare with respect to the consent framework

• Exceptions to Educational institutions for tracking of children.

• Clear time limits for data retention and data disposal.

• Clarity on what businesses are considered as Significant Data Fiduciaries/SDFs

The much-awaited DPDP Rules are here. A few key highlights from the rules are:

What the DPDP Act Rules cover?

DPDP Act Rule 3

Clear and independent Privacy Notices

Data Fiduciaries must provide standalone, plain‐language notices that include:

• itemized personal data collected;

• specific processing purposes;

• direct links for consent withdrawal;

• Individual's data privacy rights and grievance redressal procedure.

This rule aligns with the DPDP Act obligation on Data Fiduciaries to provide notice to the data principal. The requirement for “plain language” and “direct links” is a strengthening of usability.

DPDP Act Rule 4

Consent Manager registration framework

Consent Managers must meet conditions in First Schedule; registration by the Data Protection Board; Board can suspend/cancel for non‐compliance.

The DPDP Act gives the government power to prescribe rules for consent (and related infrastructure). The introduction of a “Consent Manager” category is novel and unique to the DPDP Act and operationalises how consent can be managed.

None of the other jurisdictions including the EU has such a concept mandating the use of a third-party to manage consent!