The government on Sunday explained that the quantum of penalty would depend on nature of defaults and any penalty imposed would be fair and proportionate under the Digital Personal Data Protection (DPDP) Rules.

The government had earlier released the draft rules for the DPDP Act and has asked for public feedback by February 18.

Through a release on Frequently Asked Questions (FAQs) regarding the draft DPDP Rules, the Ministry of Electronics and Information Technology (MeitY) said, “The DPDP Act provides for graded financial penalties in case of violation of the Act and the rules. The quantum of penalty would depend upon the nature, gravity, duration, type, repetitiveness, efforts made to prevent breach, etc. Further, Significant Data Fiduciaries have higher obligations under the Act and rules, while a lower compliance burden is envisaged for start-ups. Therefore, any penalty imposed for defaults would be fair and proportionate.”

Moreover, the Data Fiduciary may at any stage in the proceedings may voluntarily give an undertaking to the Data Protection Board, which if accepted by the Board would result in the dropping of proceedings, it said.

Data storage

Also, on whether businesses will be required to store personal data only within India, it said that the draft rules do not mandate that all personal data be stored within India. However, they provide that transfer of personal data outside India may be restricted for certain classes. The draft rules envisage a committee that may recommend restriction on such transfer by a Significant Data Fiduciary in respect of specified personal data.

On whether the draft rules disrupt existing digital practices and if adequate time be given to adapt to the requirements of this law, MeitY explained that the draft rules aim to protect citizen’s rights without disrupting existing digital practices. Further, adequate time will be given to all entities to adapt their systems to meet the requirements of this law.

“Processing of digital data on the basis of consent given before the coming into force of the new law is permitted and such processing may continue while citizens are given notice regarding the same so that they may exercise their rights under the law. While clear obligations have been cast on Data Fiduciaries to protect personal data in accordance with the law, prescriptions have been kept to a minimum and compliance burden has been kept low by enabling compliance through digital means,” it said.

On a question on how the citizens will be empowered to exercise their rights, MeitY explained that while the entities will prepare themselves for compliance with the law during the period given for adapting their systems, widespread awareness initiatives will be undertaken to educate the citizens about their rights on their personal data.

“Further, digital platforms will have to inform and take consent of people in English or any of the 22 Indian languages listed in the Constitution, in the language of their choice. They will also have to notify their users of the online links using which they may exercise their rights for withdrawing their consent, obtaining information regarding processing of their data, update and erasure of their data, grievance redressal, nomination and making a complaint to the Data Protection Board,” it added.

Published on January 5, 2025