Listen to this article in summarized format
Loading...
××
Subscribe to
Unlock AI Briefing and Premium Content
Subscribe NowWhat's Included
- Exclusive Stories
- Daily ePaper Access
- Smart Market Tools
- Curated Investment Ideas
- Ad-lite Experience
Subscription
The Digital Personal Data Protection (DPDP) rules, which currently offer an 18-month transition period for companies, may see this timeline "compressed" for large companies as the government engages with industry stakeholders on the issue.
Big tech firms and many large companies already abide by stringent data protection standards in many other markets, among them the General Data Protection Regulation (European Union's data privacy and security law) and this argument has prompted discussions about faster implementation of the new rules in India.
About the rationale of the 18-month transition time, when, in fact, many large companies are already complying with stringent norms elsewhere, IT Minister Ashwini Vaishnaw said the government is already in touch with the industry on the issue.
"We have been discussing with industry... the first set of rules has been published, and this gives a reasonable timeframe depending on what the industry's ask was, and what our thrust was.
"But we are also in touch with the industry to further compress time required for compliance because... exactly the same argument we have given to the industry that you already have compliance framework which is existing in other geographies... why can't you replicate...," Vaishnaw said, responding to a question on why large tech companies have been given same compliance timelines, say, as startups.
The industry has been "quite positive" in these discussions.
"So as we go forward, once the data protection board is put in place and the complete digital framework, which has already been prepared, is rolled out... after that we will have further amendments in rules so that we can compress the timelines," Vaishnaw said.
The DPDP rules that operationalise the principal legislation come into effect through a staggered timeline, allowing 18 months for companies processing personal data to shift to the new regime.
The provisions around Data Protection Board, which will be responsible for overseeing enforcement and implementation of the DPDP Act and its rules, including handling complaints, conducting inquiries, and ensuring compliance with data protection obligations -- come into force immediately; while the consent manager framework activates after 12 months, and compliance obligations like user consent notices, security safeguards, data rights, and breach notifications apply after 18 months.
The DPDP rules spell out operational norms for entities in the collection and handling of personal data, and protect the rights of individuals.
"Data protection rules will be a major change in the way our citizens' data and privacy are protected by the digital ecosystem. The rules are in simple language, highly focused on implementation. We have considered all inputs from industry and citizen groups," Vaishnaw said.
India is prioritising the creation of a new legal framework tailored for the digital world. Such a regulatory and legal structure is essential for protecting society from the challenges posed by disinformation and deepfakes, the minister said, emphasising the need for a broader scope that incorporates expert contributions and robust techno-legal measures to effectively address the nuances of the digital world.
"The way digital technologies and new opportunities are coming up, protecting the interests of citizens and the coming generations, is of utmost importance," the minister asserted.
To another question on whether the DPDP Act enforcement dilutes RTI provisions, Vaishnaw emphasised that the framework does not get diluted in any way.
"The RTI Act very clearly says that any information which is required to be disclosed in public interest should be disclosed... that absolutely remains as is, there is no amendment in that, so the framework doesn't get diluted in any which way," he added.
"On the contrary, the citizens get more rights to information because of the various provisions within the DPDP Act, where they get the right to information about what information has been collected by the tech companies, what private and personal information has been collected by the tech companies, by data fiduciaries, as a part of the various processes. So, Right to Information is actually enhanced by the DPDP Act and the rules."
Responding to a question, Vaishnaw said that the FAQ document related to the RTI Act amendment "is ready" for the media.
Big tech firms and many large companies already abide by stringent data protection standards in many other markets, among them the General Data Protection Regulation (European Union's data privacy and security law) and this argument has prompted discussions about faster implementation of the new rules in India.
About the rationale of the 18-month transition time, when, in fact, many large companies are already complying with stringent norms elsewhere, IT Minister Ashwini Vaishnaw said the government is already in touch with the industry on the issue.
"We have been discussing with industry... the first set of rules has been published, and this gives a reasonable timeframe depending on what the industry's ask was, and what our thrust was.
"But we are also in touch with the industry to further compress time required for compliance because... exactly the same argument we have given to the industry that you already have compliance framework which is existing in other geographies... why can't you replicate...," Vaishnaw said, responding to a question on why large tech companies have been given same compliance timelines, say, as startups.
The industry has been "quite positive" in these discussions.
"So as we go forward, once the data protection board is put in place and the complete digital framework, which has already been prepared, is rolled out... after that we will have further amendments in rules so that we can compress the timelines," Vaishnaw said.
The DPDP rules that operationalise the principal legislation come into effect through a staggered timeline, allowing 18 months for companies processing personal data to shift to the new regime.
The provisions around Data Protection Board, which will be responsible for overseeing enforcement and implementation of the DPDP Act and its rules, including handling complaints, conducting inquiries, and ensuring compliance with data protection obligations -- come into force immediately; while the consent manager framework activates after 12 months, and compliance obligations like user consent notices, security safeguards, data rights, and breach notifications apply after 18 months.
The DPDP rules spell out operational norms for entities in the collection and handling of personal data, and protect the rights of individuals.
"Data protection rules will be a major change in the way our citizens' data and privacy are protected by the digital ecosystem. The rules are in simple language, highly focused on implementation. We have considered all inputs from industry and citizen groups," Vaishnaw said.
India is prioritising the creation of a new legal framework tailored for the digital world. Such a regulatory and legal structure is essential for protecting society from the challenges posed by disinformation and deepfakes, the minister said, emphasising the need for a broader scope that incorporates expert contributions and robust techno-legal measures to effectively address the nuances of the digital world.
"The way digital technologies and new opportunities are coming up, protecting the interests of citizens and the coming generations, is of utmost importance," the minister asserted.
To another question on whether the DPDP Act enforcement dilutes RTI provisions, Vaishnaw emphasised that the framework does not get diluted in any way.
"The RTI Act very clearly says that any information which is required to be disclosed in public interest should be disclosed... that absolutely remains as is, there is no amendment in that, so the framework doesn't get diluted in any which way," he added.
"On the contrary, the citizens get more rights to information because of the various provisions within the DPDP Act, where they get the right to information about what information has been collected by the tech companies, what private and personal information has been collected by the tech companies, by data fiduciaries, as a part of the various processes. So, Right to Information is actually enhanced by the DPDP Act and the rules."
Responding to a question, Vaishnaw said that the FAQ document related to the RTI Act amendment "is ready" for the media.
