By Anuradha Gandhi and Isha Sharma
Impending Data Protection Rules
After eagerly anticipating its arrival, the Digital Personal Data Protection Act (DPDP Act) received the assent of the Hon’ble President Smt. Droupadi Murmu on August 11, 2023 and was notified the same day in the official gazette.
With the formal enactment of the DPDP Act, a sense of anticipation and eagerness has enveloped us all. While the legislation itself represents a significant milestone in the realm of data protection and privacy by laying down the foundation for comprehensive data protection and privacy standards in the country, now the focus has now naturally shifted towards the practical application of these principles through the forthcoming rules and guidelines. These rules will serve as the operational framework that organisations, both private and public, will need to adhere to in order to ensure compliance with the DPDP Act. Furthermore, these rules are expected to serve as a precedent for future regulations and laws relating to data governance and digital privacy.
It has been recently brought to light in a report by the Economic Times that the government is anticipated to unveil a structured timeline for the enforcement of regulations to be established pursuant to the Digital Data Protection Law, as per the official statement of a senior government.1
The official further mentioned that a tiered plan is being considered. Larger corporations like Meta, Google and others may receive a more compressed timeline for the enforcement of these regulations, whereas smaller entities such as startups, micro, small and medium enterprises, as well as central government departments and state governments, may be granted a more extended period for compliance, as per the official statement.
“The transition period will have to be notified first that the rules will be effective from that day. That conversation is still ongoing. We have had a broad conversation with consumer groups, state, and central governments. Now we have to have a conversation with the big tech companies and startups,” the official said.
In the ongoing discussions, startups and micro, small and medium enterprises (MSMEs) have requested an extended timeframe due to their current lack of readiness to undertake the necessary adjustments mandated by the DPDP Law,” stated the official. It should be noted that the initial notifications to establish the graded timelines will be of paramount importance under the new law as they will establish the precedent for subsequent notification of additional regulations.
The official further stated that once it is definitively established that there is a designated timeline, potentially for 6 months window for the implementation of the DPDP law concerning major technology corporations, attention can be directed towards addressing supplementary crucial aspects encompassing the establishment of the Data Protection Board, the selection of its members and the formulation of additional regulations.
It has been reported in the Economic Times that the government has concluded the formulation of approximately 21 rules under the DPDP law2 and is poised to initiate consultations with the stakeholders in the upcoming days. Subsequently, the government intends to officially notify these rules, concurrently providing their operational guidelines for comprehensive implementation, as stated by another official.
In an earlier statement to Economic Times, Ashwini Vaishnaw, the Union IT Minister, underscored the far-reaching implications of the DPDP Law, emphasizing that its implementation would usher in a transformative era for various stakeholders in India. One of the law’s central objectives is to instill greater accountability among social media companies operating within India’s jurisdiction. It not only sets the stage for enhanced transparency and responsibility but also carries the potential to catalyze growth within the thriving IT industry of the country.
Under the ambit of the DPDP law lies a substantial paradigm shift in the manner in which the organizations handle and process the data of Indian citizens. This monumental legislation is expected to bring about a fundamental revaluation of data management practices, necessitating companies to adopt more stringent measures and robust protocols to ensure the safety and pricy of Indian citizen’s data. Its comprehensive impact is poised to shape the future landscape of digital governance and data privacy in India.