The Digital Personal Data Protection Act, 2023 (“DPDPA”) focuses on data privacy and protection by limiting the processing of the same to ‘specified purposes’. However, it also calls for robust security measures and protocols to ensure that such data is secure, in breach of which substantial penalization is attracted. This article delves into the rules under the Draft Digital Personal Data Protection Rules, 2025 (Draft Rules) which lay down provisions to protect such data, and the procedure in case of breach of the same.
Reasonable Security Safeguards
The Data Fiduciaries, under the DPDPA, are required to lay down and maintain robust security measures and protocols. Section 8(5) calls for adoption of “reasonable security safeguards” in order to prevent any breach. The Draft Rules prescribe Rule 6 in order to specify minimum safeguards as provided under:
1. Adoption of ‘appropriate’ security measures for the data, which shall entail masking, encryption, use of virtual tokens, or obfuscation of the personal data.
2. Adoption of ‘appropriate’ measures to regulate access, as used by the Data Fiduciary or Data Processor, over their computer resources.
3. Keeping an eye on the access of the data in question via monitoring and reviewing, maintaining appropriate logs, adoption of mechanism for detection of unauthorized access, investigation of the same and taking remedial measures to avoid repetition.
4. In the event of the compromise of availability, confidentiality, or integrity of the personal data due to loss of access or destruction of the same or otherwise, “reasonable measures” shall be undertaken for continuation of the processing of the data.
5. Detection of unauthorized access, the investigation of the same, and remedial measures shall be undertaken and in the event of such compromise, the continued processing shall not be impacted. The logs and data in question shall be retained for a period of 1 (one) year unless the law in force prescribes otherwise. However, the continuation of processing in the instance in question would compromise the new data. It is recommended that the same be halted, remedied, and then continued to be processed.
6. In the event of the compromise of availability, confidentiality, or integrity of the personal data due to loss of access or destruction of the same or otherwise, “reasonable measures” shall be undertaken for continuation of the processing of the data.
7. Ensuring the contract entered into between the Data Fiduciary and Data Processor has appropriate provisions for adopting the safeguards.
8. Adoption of organizational and technical measures in order to ensure the requisite observance of the above.
The DPDPA prescribes a penalty under Schedule I which may extend to INR 250,00,00,000/- (Indian Rupees Two Hundred and Fifty Crores only) in case the Data Fiduciary fails to adopt the said mechanisms, thus ensuring meticulous and effective compliance.
The above safeguards could be considered a triumph over the provisions as required under rule 8(1) of the Information Technology (Reasonable security practices and procedures and sensitive personal data or information) Rules, 2011, as it provides a defined minimum criteria for measures to be adopted. However, the definitional uncertainty of ‘reasonable security safeguards’ proposed in Rule 6 of the Draft Rules is entirely opens up for various interpretations when it comes to its practical application by Data Fiduciaries.
Specified Purpose
The Draft Rules, in conjunction with the DPDPA, if the Data Principal fails to approach the Data Fiduciary to perform the processing for the specified purpose (as provided under the notice to obtain such consent) nor exercises her right to the processing of the same (“purpose”), provide for the erasure of personal data within the timeline as against the class of such Data Fiduciary unless required to comply with the applicable laws. However, the Data Fiduciary shall intimate the Data Principal 48 (fourty-eight) hours prior to such timeline for such erasure of the said action that shall be taken unless contact is made by the Data Principal expressing intent for the purpose, or if the Data Principal logs into her user account. The timelines are as provided below, however do not apply for providing access to their user account or virtual tokens issued on behalf of/by the Data Fiduciary stored by the said Data Fiduciary on their platform and may be used to obtain goods/services/money:
1. E-Commerce entities having not less than 2,00,00,000 (two crore) registered users in India – 3 (three) years from the date of contact by the Data Principal for the purpose or the commencement of the Draft Rules.
2. Online gaming entities having not less than 50,00,000 (fifty lakh) registered users in India – 3 (three) years from the date of contact by the Data Principal for the purpose or the commencement of the Draft Rules.
3. Social media intermediaries having not less than 2,00,00,000 (two crore) registered users in India – 3 (three) years from the date of contact by the Data Principal for the purpose or the commencement of the Draft Rules.
Since the implementation of the future rules would be phased, ambiguity is created herein.
However, this provision may be appreciated since at various instances, users tend to recall the access provided to platforms on which their personal data remains for eternity. Rule 9 further provides for a point of contact to answer questions regarding processing of the personal data of the Data Principal, which provides relief to users.
Intimation In The Instance Of Breach
Rule 7 of the Draft Rules provide for a mechanism in order to further the rights of the Data Principal, each of whom are to be intimated in the instance of a breach in a clear, plain and concise manner. The same however entails the Data Fiduciary to do so “to the best of its knowledge”, thus providing loopholes for Data Fiduciaries to render essential information. Such intimation must provide an account of the breach, detail the consequences what are likely to impact the Data Principal, intimate the measures already implemented and those being implanted to minimize such impact, provide the safety measures that may be undertaken and details of the point of contact of the Data Fiduciary to respond to any queries. A similar yet more comprehensive obligation is imposed on the Data Fiduciary to intimate the Board of such breach with a two-tier mechanism with the initial reporting drawing a parallel to that as required for the Data Principal and a detailed analysis within 72 (seventy-two) hours of the Data Fiduciary becoming aware of the breach. However, the Draft Rules need not bifurcate between the same in order to enhance the rights of the Data Fiduciary and promote transparency. Uniform reporting standards, despite the breach’s severity, may require alignment with existing CERT-In and sector-specific guidelines.
Authors: Malaika Karia & Dev Agarwal