Ad: India’s Data Protection Bill is here, and your business needs to adapt. K&S Digiprotect, with its team of data protection experts, offers compliance services tailored to help you adapt to the new regulations, safeguard your data and build trust with your customers. Contact us now!
Six years after the Supreme Court ruled that privacy is a fundamental right of citizens, India’s data protection law, the Digital Personal Data Protection Bill, 2023, was passed in the Lok Sabha (lower house of the parliament) on August 7 and Rajya Sabha (upper house) on August 9. It will next be sent to the President of India for final assent.
Upon the President’s assent, the Bill will be enacted as the Digital Personal Data Protection (DPDP) Act, 2023, and will go into effect on the date that will be notified by the government in the Official Gazette.
Importantly, section 1(2) of the bill states that different dates may be appointed for different provisions of the Act to go into effect and section 17(5) states that the government can also declare that any provision of the Act shall not apply to a specific Data Fiduciary or classes of Data Fiduciaries for such period as may be specified by the government. In other words, different types of entities will have different timelines to comply with different provisions of the DPDP Act.
This approach was also confirmed by IT Minister of State Rajeev Chandrasekhar, who informed The Indian Express that the government will follow a graded approach with Big Tech companies expected to comply first and startups getting a longer transition period. The exact timelines will be decided post consultations with the industry, he added.
Article continues below ⬇, you might also want to read:
- Summary: India’s Digital Personal Data Protection (DPDP) Bill, 2023
- Here’s What Companies Can And Cannot Do As Per India’s Data Protection Bill
- How India’s Digital Personal Data Protection Bill Impacts Children’s Privacy And Access
- Fifteen Major Concerns With India’s Digital Personal Data Protection Bill, 2023
The data protection law requires companies to obtain consent before processing any personal data, safeguard data from data breaches, obtain parental consent when processing the personal data of anyone under the age of 18, implement a grievance redressal system, allow users to exercise their right to information, correction, and erasure, etc. For more on what the law entails and what happens in case of non-compliance, check out MediaNama’s summary of the DPDP Bill here.
A graded timeline is essential because startups and smaller companies should not be expected to comply with the law within the same time frame as Big Tech companies that have the resources, as well as experience from other jurisdictions like the EU, to comply faster.
Despite following a graded timeline, it might still be tight for companies in India. IT Minister Ashwini Vaishnav has indicated that the implementation will take around six to ten months. For context, the European Union approved its privacy law, the General Data Protection Regulation (GDPR), in 2016 and gave companies two years to comply with it.
“GDPR was designed when the world’s knowledge about privacy laws was low, but that is not the case today. So, it is unlikely that we will allow the industry a two-year transition window,” Rajeev Chandrasekhar told The Indian Express.
Apart from a graded approach to implementation, the government also has the power to exempt certain classes of Data Fiduciaries, such as start-ups, from some of the provisions of the law. This type of exemption will be based on the volume and nature of personal data these entities process.
STAY ON TOP OF TECH NEWS: Our daily newsletter with the top story of the day from MediaNama, delivered to your inbox before 9 AM. Click here to sign up today!