The Ministry of Electronics and Information Technology (MeitY) unveiled draft regulations to implement the government's groundbreaking digital privacy law on January 3, paving the way for significant changes in the handling of personal data by companies and government agencies.
For the first time, the rules under the Digital Personal Data Protection (DPDP) Act categorise various types of data fiduciaries. They propose that fiduciaries like e-commerce platforms, online gaming companies, and social media platforms must delete users' personal data three years after it is no longer needed.
These provisions mandate that data fiduciaries must delete personal data once it is no longer needed for its specified purpose. The draft rules also specify the timelines for data erasure across various categories of data fiduciaries, including social media platforms, online gaming platforms, and e-commerce entities.
Platforms must notify users at least 48 hours before erasure, allowing them to log in or request data retention. User accounts include profiles, email addresses, or phone numbers linked to the principal user for service access.
The MeitY has released proposed rules detailing key provisions of the Digital Personal Data Protection (DPDP) Act, enacted by Parliament last August. The draft invites public consultation until February 18, allowing stakeholders to provide feedback via the government's MyGov portal.
The regulations focus on key aspects of data protection, including requirements for notifying individuals about data collection, establishing a framework for consent management, implementing safeguards for handling children's personal information, among other aspects. The rules are also expected to outline details regarding the establishment of the Data Protection Board, including the appointment process and service conditions for its chairperson and members.