Data protection board, relevant rules likely in a month
The first set of necessary rules under the Act will be issued within 30 days, said minister Rajeev Chandrasekhar
New Delhi: The government will set up the data protection board (DPB), the appellate authority for grievance redressal under the Digital Personal Data Protection Act, within the next 30 days, Rajeev Chandrasekhar, minister of state for electronics and information technology said on Wednesday. The first set of ‘necessary rules’ under the Act will also be issued within the same time frame.
“The DPB will be notified in the next 30 days and all the relevant rules will also be notified in the next 30 days. The time between 11 August when the Act was notified and when the DPB is constituted, should not be considered a safe harbour or immunity period for companies. If there’s a data breach during this time, the DPB will take it up once it is operational," the minister clarified.
Speaking at the consultation for timeframes needed by the industry to transition to the DPDPA, the minister said that there are likely to be three categories of data fiduciaries that will be given a graded timeline for transition for compliance to the provisions in the Act.
The first category comprising government entities at the Centre or state, panchayats or MSMEs that do not have the digital readiness for storing or processing data, are likely to get the most time for transition, followed by smaller private entities and start-ups. However, big tech or companies like Google, Meta, Apple and others that would already be complying with global data protection or privacy laws such as the GDPR, would be expected to comply at the earliest.
“They would have to make a strong case why they need more time for transition. Companies that were aligned with GDPR should not take time, but wherever there are requirements that go beyond GDPR, so to speak, they should specify the time needed for transition. Non-digital companies will be given longer time period. Where there is a need for architectural enhancement (reference to right to erasure or verifiable parental consent for processing data of children) and more time is needed, we will look into it," the minister said.
On whether the ministry would look at tiers of six months to a year, Chandrasekhar said that while the government wants to ensure that there would be zero disruption, it won’t give extended deadlines for compliance with the rules. “Age gating, parental consent requires an EKYC framework to be in place, so that till take longer transition period. Not more than 12 months (will be given)," he said.
During the consultation, which lasted for over an hour, the minister declined to give an exemption to financial or lending services providers that are regulated by the financial services regulator, stating that the Act provides for regulation by two bodies.
While the DPDPA has been in force since 11 August, the rules under the law are still to be issued. A senior official in the ministry had earlier said that most of the 25 rules that were needed to enable the Act, were drafted and ready. The law has made it mandatory for companies to collect user data through a consent-based mechanism but for some legitimate uses, the law provides for some relaxations. The law also prescribes penalties for data breaches of ₹250 crore, which can be raised to ₹500 crore.
The law provides several exemptions to the Centre and enables it to block any platform in the event of two instances of violations.
3.6 Crore Indians visited in a single day choosing us as India's undisputed platform for General Election Results. Explore the latest updates here!
Dive into the Amazon Great Indian Festival Sale 2024!
Unbelievable deals on laptops, washing machines, refrigerators, kitchen appliances, gadgets, automotives, luggage and more in amazon sale. Celebrate Diwali 2024 with Amazon's biggest sale of the year.