The government wants big tech companies to get ready to follow the digital data privacy law, while hinting at a breather of up to 12 months in terms of a transition period for startups, government entities and micro, small and medium enterprises. A graded approach for different categories is being planned for the transition period.
Big tech platforms such as Google, Meta and Microsoft faced disappointment during a meeting with minister of state for electronics and IT Rajeev Chandrasekhar on Wednesday when they were told to start complying with the Digital Personal Data Protection (DPDP) Act, 2023. The minister said the big tech platforms would need to provide a “strong case” to justify any demand for a transition period as they are already compliant with the European Union’s General Data Protection Regulation (GDPR).
The ministry of electronics and information technology (MeitY) had called the meeting with industry stakeholders to discuss the roadmap for the digital data privacy law and respond to queries on issues related to the recently cleared legislation.
Chandrasekhar said the government may release the draft rules to enforce the law in the next four to six weeks. A data protection board is also likely to be set up in 30 days.
A category of data fiduciaries like government entities at the Centre or state, panchayats or MSMEs that do not have the digital readiness for storing or processing data, are likely to get maximum time for transition, followed by smaller private entities and start-ups.
“Companies that were aligned with GDPR should not take time, but wherever there are requirements that go beyond GDPR, so to speak, they should specify the time needed for transition. Non-digital companies (like manufacturing firms) will be given a longer period. Where there is a need for architectural enhancement and more time is needed, we will look into it,” the minister said.
EU’s GDPR, which came into effect in 2018, is seen amongst the toughest privacy and security laws in the world.
As for India’s privacy law, it provides broad principles of data protection and a rulebook is expected to outline the implementation roadmap and processes along the way. The Act has defined 26 items on which the government can make rules. The minister said over the coming month, the government will release at least eight to nine necessary rules to offer clarity on some of these provisions.
Industry has voiced its concerns.
“Wherever the obligation is very similar to those in laws in other parts of the world, we do not expect a long period in terms of transition time. But where the obligation is unique to India and where the obligation has a dependency on a third party (for compliance), we would expect a longer transition period,” said Sunil Abraham, Public Policy Director – Data Economy and Emerging Tech – for India at Meta during the consultation.
A representative of instant messaging app Snap said the government should consider the technical complexities of some compliance requirements while finalising the timeframe for notification.
“From our perspective, the thing that will require the engineering effort is section 9 – the parental consent requirement. Our request is to get an opportunity to create a list of similar provisions that will require more effort,” Uthara Ganesh, head of public policy, India and South Asia, Snap Inc, said.
The government is open to the demand for a slightly longer transition to implement e-KYC requirements. “If you can give us real input as opposed to rhetoric about what parts of the Act require a slightly longer period for transition, that will be a useful conversation,” Chandrasekhar said.
The consultation was attended by about 125 representatives of companies including Meta, Microsoft, Lenovo, Dell, and Netflix, among others.
Law experts said there’s an utmost need for clarity on compliance requirements. For that, the subordinate rules and the authority must be in place.
“Since the beginning, there was an expectation that there would be some fitting period for compliance to start. Once you have the law, the rules and the authority under it are in place, then you understand what you are supposed to do (for compliance). Till then, there are a lot of ambiguities and confusion,” said Anupam Shukla, partner at Pioneer Legal, a law firm.
Passed in Parliament last month, the digital data privacy legislation caused a stir in the industry because of some tough clauses and the absence of a clear roadmap so far.
“The implication of this is that if there are any breaches under the law – today or after the time we notified the Act – those breaches will be taken up by the Data Protection Board on or after the day the Data Protection Board is constituted. So this window between now and the DPB’s constitution is not a holiday or a safe harbour (from compliance),” the minister said. He added that the data protection board, which has the power to prescribe penalties up to Rs 250 crore, will start adjudicating the cases of violations by platforms immediately after its formation.