© The Indian Express Pvt Ltd
Tags:
Journalism of Courage
The government is in consultation with the industry to further shorten the compliance timeline – from the current 12 to 18 months – and will soon issue an amendment to that end, IT Minister Ashwini Vaishnaw said Monday.
Vaishnaw, while responding to a question from The Indian Express on why the government had afforded Big Tech companies and start-ups the same compliance timeline, even though the former already have systems to adhere to international privacy laws, said, “That is something we are talking to the industry about. It is right that big companies already follow laws like Europe’s General Data Protection Regulation (GDPR). We will compress the timeline. We will amend the law”.
The Ministry of Electronics and IT (MeitY) Friday notified the long awaited data protection rules, paving the way for India to have a functional privacy law, eight years after the Supreme Court ruled it as a fundamental right. The notification of the rules comes over two years after the Digital Personal Data Protection Act (DPDP Act) received the President’s assent in August 2023.
While the law is now operational, only parts of it are currently in force, as some of the most important protections available to citizens under the law will take longer — between 12 to 18 months — to be implemented.
For instance, the requirement for entities to seek informed consent from users before processing their personal data, using their personal data only for specified legitimate uses, and for entities to notify data breaches to users, will all only be operationalised after 18 months.
Effectively, the Data Protection Board of India (DPB), which will act as the key adjudicatory body to ensure entities comply with the law, has been implemented, along with a controversial provision which amends the Right to Information (RTI) Act to disallow disclosure of personal information about public officials even when it is justified in larger public interest.
The DPDP Rules, 2025, say that the Centre will specify the kind of personal data which can be processed by “significant data fiduciaries” subject to the restriction that such personal data and traffic data related to its flow is not transferred outside the territory of India. A committee, to be formed by the government, will determine it. This is effectively a data localisation requirement, which the industry has previously resisted. Big tech companies are expected to push back on this provision.
A significant data fiduciary will be determined on the basis of the volume and sensitivity of personal data they process, and the risks they might have on sovereignty and integrity of India, electoral democracy, security, and public order. Tech majors including Meta, Google, Apple, Microsoft, and Amazon are expected to be classified as significant data fiduciaries.
Under the rules, tech companies are required to implement a mechanism for collecting “verifiable” parental consent before processing personal data of children.
Effectively, the government has refrained from proposing a mechanism from its side, and has left it to the companies to adopt a system of their choice, after social media companies complained that it could be a difficult provision to implement.
In the event of a data breach, data fiduciaries will have to intimate impacted individuals “without delay” a description of the breach, including its nature, extent and the timing and location of its occurrence; the consequences relevant to the impacted user, that are likely to arise from the breach; and the measures implemented and being implemented to mitigate risk among other things. The penalty for failing to have adequate safeguards for preventing a data breach could go as high as Rs 250 crore.
The Data Protection Act had come under scrutiny for granting wide-ranging exemptions to the government or its agencies while processing citizens’ personal data on grounds of ‘national security’, ‘friendly relations with other states’, and ‘public order’, among other things. It was also called into question over allegedly diluting the RTI Act. The Indian Express had earlier reported that apart from the civil society, even government’s think tank Niti Aayog had also raised concerns over the potential weakening of the RTI Act.
Under the rules, a data fiduciary — an entity (either private or public) that collects and processes users’ data — will also have to implement reasonable security measures to protect personal data, including encryption, access control, monitoring for unauthorised access, and data backups.
The rules also require that data fiduciaries have to provide a clear, standalone, and understandable notice to data principals before processing their data. Specifically, the notice should include an itemised list of the personal data being collected and a clear description of the purpose for processing, along with an itemised explanation of the goods, services, or uses enabled by such processing.
