Eye on colleges, hospitals, Centre looks to get own house in order ahead of data protection rules

The data protection Act has an exemption clause for the government and its agencies, however, it is unlikely that it could be used for institutions like colleges and hospitals.

3 min readUpdated: Nov 11, 2024 08:50 AM IST

Data protection, business news, indian express

The data protection Act has an exemption clause for the government and its agencies, however, it is unlikely that it could be used for institutions like colleges and hospitals. (File representational photo)

Behind the seeming delay in publishing the draft rules for data protection is the government’s attempts at getting its own house in order. The Indian Express has learnt that a number of its internal discussions have centred on whether some of the institutions it controls—schools, colleges, and hospitals—would be ready to comply with the law or need a longer timeframe.

The Digital Personal Data Protection Act, 2023, was enacted last August but is yet to be made operational as subordinate legislation—at least 25 rules—necessary to add contours to the law are awaited. Thus, the law has not come into force more than a year since it received the President’s assent.

“There are so many public colleges and hospitals that are in far flung areas, and many of them are operating on rudimentary technology. But, they do handle a lot of personal data on a daily basis. We have to carefully accommodate these institutions. We discussed a lot on these accounts while framing the rules,” a senior government official said, requesting anonymity.

The data protection Act has an exemption clause for the government and its agencies, however, it is unlikely that it could be used for institutions like colleges and hospitals.

The IT Ministry did not respond to a request for comment.

There are other things that have held up the rules as well. For instance, the law said that entities that deal with the personal data of children – individuals below the age of 18 – would have to seek consent for processing their data from their parents or guardians. However, the government soon realised that it could be difficult to prescribe a particular mechanism or technological intervention to gather such consent, and is understood to have given up on the idea.

Now, the IT Ministry is expected to leave it to the discretion of the companies on how they want to seek such consent under the upcoming data protection rules.

Story continues below this ad

The law has received pushback from the civil society, and Opposition. The Niti Aayog, the government’s main think tank, has also criticised some provisions in the law that could potentially dilute the Right to Information (RT) Act, The Indian Express had earlier reported.

Another major point of contention has been the wide ranging exemptions that the law offers to the government’s agencies. According to Section 17 (2) (a) of the data protection law, “The provisions of this Act shall not apply in respect of the processing of personal data — by such instrumentality of the State as the Central Government may notify, in the interests of sovereignty and integrity of India, security of the State, friendly relations with foreign States, maintenance of public order or preventing incitement to any cognizable offence relating to any of these…”

The law requires companies to gather users’ personal data through a consent-based mechanism, even as it allows some relaxations to that end for certain “legitimate uses”. The penalty for not being able to take enough safeguards for preventing a data breach could go as high as Rs 250 crore.

Soumyarendra Barik

Soumyarendra Barik is a Special Correspondent with The Indian Express, specializing in the complex and evolving intersection of technology, policy, and society. With over five years of newsroom experience, he is a key voice in documenting how digital transformations impact the daily lives of Indian citizens. Expertise & Focus Areas Barik’s reporting delves into the regulatory and human aspects of the tech world. His core areas of focus include: The Gig Economy: He extensively covers the rights and working conditions of gig workers in India. Tech Policy & Regulation: Analysis of policy interventions that impact Big Tech companies and the broader digital ecosystem. Digital Rights: Reporting on data privacy, internet freedom, and India's prevalent digital divide. Authoritativeness & On-Ground Reporting: Barik is known for his immersive and data-driven approach to journalism. A notable example of his commitment to authentic storytelling involves him tailing a food delivery worker for over 12 hours. This investigative piece quantified the meager earnings and physical toll involved in the profession, providing a verified, ground-level perspective often missing in tech reporting. Personal Interests Outside of the newsroom, Soumyarendra is a self-confessed nerd about horology (watches), follows Formula 1 racing closely, and is an avid football fan. Find all stories by Soumyarendra Barik here. ... Read More