Delay in privacy act stalls tech firms in India

A year after the parliament passed a new law to guard the digital data of Indian citizens, technology companies at the vanguard of the transformation are getting restless. The reason: The government is yet to issue rules under the new law, preventing them from taking decisive calls on projects involving data localization and cross-border data transfer, and hiring compliance officer.

Companies are now reaching out to the government to expedite rules under the Digital Personal Data Protection (DPDP) Act, three people aware of the matter said.

“It’s been confusing—the implementation of the DPDP Act and its rules have played out in India for nearly a decade, in various forms," said an executive from a top multinational technology firm. “Since being notified in Parliament, the expectation was that by end-2024, compliance would be enforced, providing clarity for tech firms. However, this process has been delayed by another year or two, which isn’t ideal for a sound regulatory environment."

The DPDP law aims to protect the privacy of Indian citizens with penalties of up to ₹250 crore on entities failing to prevent data breaches or misuse of the personal data of individuals. The Act was notified last year but rules under the law are yet to be finalised.

Read this | Mint Explainer: Concerns around Digital Personal Data Protection law

Another executive emphasized the importance of releasing the DPDP rules to avoid regulatory ambiguity. “Tech firms catering to global markets already comply with Europe’s General Data Protection Regulation (GDPR). For India to attract investments, a clear legislative structure is needed at the earliest. The lack of it may impact smaller firms more than larger ones," he noted.

A senior official with the Ministry of Electronics and Information Technology assured that the rules would be published “very soon—within the coming weeks."

The impending rules are expected to outline specific compliance requirements, timelines, and penalties for non-compliance. However, the delay in their publication has forced companies to adopt a wait-and-watch approach, hindering their ability to fully implement data protection measures.

“The final draft will be published for public consultation, followed by any necessary alterations. Once finalized, there will be clearly defined compliance periods for companies," the government official explained.

More here | Data privacy rules to be issued for consultation shortly: Rajeev Chandrasekhar

Consequently, most stakeholders, including the three executives cited above, expect the on-ground impact of the DPDP Act, 2023, to manifest only from 2026.

Operational challenges

The delay has caused issues within tech firms in India.

Supratim Chakraborty, partner at law firm Khaitan & Co, highlighted the challenge of doubling up key roles in anticipation of compliance.

“Many personnel within companies have been put on double roles, with a projection to become a data privacy officer (DPO) when the law gets enforced. With this delay, many such employees are looking to grasp other roles within the company while essentially being on the sidelines, while others are in a limbo with their job profile," Chakraborty said.

Lalit Kalra, partner for cyber security at EY India, pointed out concerns despite ongoing preliminary compliance efforts.

“For companies with a global market, compliance with EU’s GDPR already gives them stable ground. Most firms are also already going ahead with preliminary compliance based on the DPDP Act, leaving finer points for whenever the rules come. However, there is a lack of intensity and urgency in place due to the delay in notification of the rules, which can slow down the process of actually enforcing the privacy regulation on-ground," he added.

Queries sent to Microsoft, Meta, and HCL Technologies remained unanswered.

Chakraborty noted that the delay in implementation has led to a shift in corporate focus. “At one point, there was a spurt around the DPDP Act. Today, companies are trying to push for early implementation of the Act, in whichever form as required, so as to get started with the compliance process. Right now, people aren’t sure on how seriously to take this up," he said.

Also read | New draft broadcasting bill raises accountability, censorship concerns

Chakraborty and Kalra also discussed the cost implications of compliance. “Handling data, especially unstructured and semi-structured data, will increase costs, along with the appointment of DPOs," Chakraborty said. Kalra added that full compliance with India’s privacy regulations might take up to five years, particularly challenging for smaller firms. “This is India’s first focused privacy regulation, unlike the EU where regulations existed for decades. The process may not be as simple in India," he concluded.