By Anuradha Gandhi and Isha Sharma
During a consultation on Digital Personal Data Protection Act, (DPDP) in New Delhi on September 20, 20231 Mr. Rajeev Chandrasekhar, the Minister of State for Electronics and Information Technology announced a significant step towards implementing the DPDP Act in India. As part of this announcement, the Indian government is taking proactive measures to ensure the effective enforcement of the DPDP Act, which was recently passed on August 11, 2023 after receiving the assent of the Hon’ble President, Smt. Droupadi Murmu.
Setting up of Data Protection Board (DPB)
One of the key measure is the notification of the Data Protection Board (DPB), which the government has committed to establish within next 30 days. The DPB is poised to act as the central authority entrusted with upholding data protection and privacy standards in the digital landscape. The adjudicatory body encompasses not only ensuring compliance with the DPDP Act but also addressing instances of non-compliance among data fiduciaries and hearing complaints on data breaches.
This move reflects the government’s commitment to establishing a robust framework for data protection and privacy in the country. By notifying the DPB promptly, authorities aim to expedite the implementation of the DPDP Act’s provisions, which are designed to safeguard the privacy and security of individuals’ personal data in the digital arena.
Furthermore, in line with this commitment, the government has already drafted the rules and regulations associated with the DPDP Act and is poised to release the same soon. These rules will provide detailed guidance on how the act will be applied and enforced, offering clarity to businesses, organisations and individuals about their responsibilities and rights concerning data protection and privacy.2
“The DPB will be notified in the next 30 days and all the relevant rules will also be notified in the next 30 days”- the minister clarified.
Request for extended transition period: Internet giants
Major players in the realm of social media and prominent Internet companies have requested an extended transition period from the government to facilitate their alignment with the intricate provisions of the DPDP Act. Their plea underscores the complexity of implementing robust data protection measures and the need for additional time to ensure full compliance with the significant legislation. One of the primary reason for demanding such extension pertains to the development of age gating mechanism, which play a vital role in safeguarding the privacy and security of children’s data as the DPDP Act makes it mandatory to obtain verifiable consent prior processing the personal data of a child. Failure to adhere to such data protection regulation may result in substantial penalties, which may extend to INR 200 crore.3
With regard to request for such extended transition period, the minister during the consultation meeting emphasizes its expectations of achieving compliance with the majority of the DPDP Act’s provisions within a concise period of one year, barring provisions such as the age-gating mechanism which would require additional architectural enhancement.
“Age gating, parental consent requires an EKYC framework to be in place, so that will take longer transition period. Not more than 12 months (will be given),” he added.
The government is not inclined to grant prolonged or extended deadlines for compliance with the rules outlined in the DPDP Act, the minister clarified. It was further emphasized that in the event of breaches occurring under the DPDP Act, the same would be accumulated and would be subject to scrutiny and action by the DPB, once it is officially constituted.
“They would have to make a strong case why they need more time for transition. Companies that were aligned with GDPR should not take time, but wherever there are requirements that go beyond GDPR, so to speak, they should specify the time needed for transition. Non-digital companies will be given longer time period. Where there is a need for architectural enhancement (reference to right to erasure or verifiable parental consent for processing data of children) and more time is needed, we will look into it,” the minister said.
Classification of Data Fiduciaries
During a consultation addressing the timeframe required for the industry to transition to the DPDP Act, the minister highlighted that there would likely be a classification of data fiduciaries into three distinct categories, each to be allocated a specific and graded timeline for achieving compliance with the provisions outlined in the Act.
The initial category encompasses governing entities at the Centre or State, Panchayats or MSMEs lacking digital readiness for data storage and processing. These entities are expected to be granted the most extended transition period, thereby aiming to facilitate their gradual and comprehensive adoption of data protection measures. Following this, the second category will likely encompass smaller private entities and Startups. While more agile than governing entities, these organisations may still require adequate time to navigate the intricacies of compliance, particularly, if they are new to regulatory frameworks of this nature.
The third category is composed of big tech companies like Google, Meta, Apple and other organisations who are already complying with the global data protection or privacy laws such as the GDPR. These entities are likely to be expected to expedite their compliance efforts and align with the DPDP Act at an earlier stage.
This approach signifies a thoughtful and tailored strategy to accommodate the diverse landscape of data fiduciaries, acknowledging that different organisations may have varying levels of complexity in adapting to the new regulatory framework. By categorising these data fiduciaries, the government can provide them with timelines that align with their specific circumstances and readiness, thereby ensuring a smoother and more effective transition to full compliance.
The announcement signified an important milestone in India’s journey towards modernizing its data protection and privacy framework, aligning it with global standards, and addressing the evolving challenges posed by the digital era. It underscores the government’s dedication to ensuring that individuals’ data is handled responsibly and that their privacy is upheld in an increasingly data-centric society. The rules, once implemented, will serve as the operational framework that organisations, both private and public, will need to adhere to in order to ensure compliance with the DPDP Act.4