Big tech may see faster DPDP rules compliance timeline

The Digital Personal Data Protection (DPDP) rules, which currently offer an 18-month transition period for companies, may have to be implemented faster by bigger companies.

Big tech firms and many large companies already abide by stringent data protection standards in many other markets, among them the General Data Protection Regulation (European Union's data privacy and security law). This argument has prompted discussions about faster implementation of the new rules in India.

IT Minister Ashwini Vaishnaw has said the government is already in touch with the industry on the issue. “We have been discussing with industry... the first set of rules has been published, and this gives a reasonable timeframe depending on what the industry’s ask was, and what our thrust was,” he said.

Also read: DPDP rules: User rights constrained by state exemptions, loopholes, says activist

“But we are also in touch with the industry to further compress the time required for compliance because... exactly the same argument we have given to the industry that you already have compliance framework which is existing in other geographies... why can’t you replicate...,” Vaishnaw added.

Staggered timeline

The industry has been “quite positive” in these discussions, he said. “So as we go forward, once the data protection board is put in place and the complete digital framework, which has already been prepared, is rolled out... after that we will have further amendments in rules so that we can compress the timelines,” Vaishnaw said.

The DPDP rules that operationalise the principal legislation come into effect through a staggered timeline, allowing 18 months for companies processing personal data to shift to the new regime.

The provisions around Data Protection Board, which will be responsible for overseeing the enforcement and implementation of the DPDP Act and its rules, including handling complaints, conducting inquiries, and ensuring compliance with data protection obligations — come into force immediately; while the consent manager framework activates after 12 months, and compliance obligations like user consent notices, security safeguards, data rights, and breach notifications apply after 18 months.

Also read: Govt notifies Digital Personal Data Protection Act to protect citizens in online space

The DPDP rules spell out operational norms for entities in the collection and handling of personal data, and protect the rights of individuals.

“The way digital technologies and new opportunities are coming up, protecting the interests of citizens and the coming generations, is of utmost importance,” the minister asserted.

‘Does not dilute RTI’

To another question on whether the DPDP Act enforcement dilutes RTI provisions, Vaishnaw emphasised that the framework does not get diluted in any way.

“The RTI Act very clearly says that any information which is required to be disclosed in public interest should be disclosed... that absolutely remains as is, there is no amendment in that, so the framework doesn't get diluted in any which way,” he added.

Also read: DPDP law weakens transparency, threatens journalists: RTI activist

“On the contrary, citizens get more rights to information because of the various provisions within the DPDP Act, where they get the right to information about what information has been collected by the tech companies, what private and personal information has been collected by the tech companies, by data fiduciaries, as a part of the various processes. So, Right to Information is actually enhanced by the DPDP Act and the rules.”

Responding to a question, Vaishnaw said that the FAQ document related to the RTI Act amendment “is ready” for the media.

(With agency inputs)