Experts anticipate progress on DPDT Act under new IT minister

With the return of Ashwini Vaishnaw as the IT Minister, policy experts and think tanks are hoping to see some movement on the country’s data privacy legislation – the Digital Personal Data Protection (DPDP) Act, which was passed by both the houses of parliament in August, 2023.

Experts demand the rules for the DPDP Act 2023 be released soon as they will give more specific direction to the industry on compliance, which is set to face the biggest impact once the law is functional.

“The implementation of the law is going to spark a big shift across all kinds of entities, therefore a 12-18 month period will have to be provided at the minimum once the rules are notified for compliance,” said Aparajita Bharti, Founding Partner, The Quantum Hub (TQH) Consulting – a policy think tank.

Akshayy S Nanda, partner, Saraf and Partners said that it is the companies which will require a significant period to align their operations, policies, and systems with the new regulatory framework, and if the rules are notified soon, businesses will get ample time to make the necessary adjustments, conduct training sessions for employees, and implement robust personal data protection measures.

Union Minister Ashwini Vaishnaw who is leading the charge of the Ministry of Electronics and Information technology for the second consecutive term, has kept the notification of DPDP Act as his top priority option in Modi 3.0.

“We had started the rules’ drafting work around December. Digital Personal Data Protection rules drafting is in a very advanced stage. We will start the industry consultation now and will go as extensive as we can,” Vaishnaw told reporters at a press briefing recently.

He further said that the government was not in any rush for notifying the rules, and will follow a consultation process similar to what the Ministry did during Telecom Act as well as the DPDP Act.

Need for clarity in DPDP implementation rules
Policy groups too agree on the need for extensive consultations, and demand better clarity on some issues through the yet-to-be-released rules.

“A thorough consultation will help in ironing out any issues identified in the draft rules, as legal and technical teams assess their feasibility in detail, but clarity is definitely required around consent management systems, implementation of verifiable parental consent in the case of minors and legitimate uses for which data can be processed without explicit consent,” said Bharti.

As India’s first-ever dedicated legislation for digital privacy, the DPDP Act provides broad principles of collection and processing of personal information in digital form. The Act prescribes monetary penalties of up to Rs 250 crore for each instance of a data breach and blocking of entities in case of repeated violations.

However, the way of implementation and the exact processes will be “as may be prescribed” in the rulebook. The Act has defined 26 matters on which the government can make rules to enforce the provisions of the Act.

Key requirements for DPDP implementation rules
Apart from providing clarity on the timeline for compliance with the privacy law, legal experts expect the rules to provide detailed and practical compliance requirements, be technologically neutral, have a risk-based approach, align with global standards, and there should be support for implementation.

“The rules should also adopt a risk-based approach, requiring higher levels of protection for sensitive data and data processing activities that pose greater risks to individuals. Also, they should be technologically neutral, allowing companies the flexibility to adopt the most suitable technologies and methods to meet data protection standards. This will help ensure that the rules remain relevant and adaptable as technology evolves,” said Nanda.

Experts also stressed on the need for the rules to include mechanisms for regular review and updates to keep pace with technological advancements and emerging data protection challenges. This can involve periodic consultations with stakeholders, including businesses, privacy advocates, and technical experts, they added. Business Standard