Govt To Cut Data Protection Compliance Timeline: Ashwini Vaishnaw
The government is preparing to shorten the compliance timeline under India’s new data protection law, IT Minister Ashwini Vaishnaw said on Monday. Companies currently have between 12 and 18 months to meet the full requirements of the Digital Personal Data Protection Act, but the minister said an amendment will soon be issued to reduce this period. The proposal is being discussed with industry players.
The statement came shortly after the Ministry of Electronics and IT notified the long-pending data protection rules on Friday. With this notification, India moves closer to enforcing a complete privacy framework eight years after the Supreme Court recognised privacy as a fundamental right.
The rules were issued more than two years after the Digital Personal Data Protection Act received presidential assent in August 2023.
Although the law has technically come into force, several major protections available to citizens will not take effect immediately. Key provisions such as informed consent for personal data processing, restrictions on the use of personal data, and mandatory reporting of data breaches will be implemented only after the full compliance window ends, which is currently up to 18 months.
Also, read| The Energy Revolution: How Kerala’s Leading Malls Turn Energy Bills To Net Zero?
The government has already operationalised the Data Protection Board of India, which will act as the central adjudicating authority for violations of the law. At the same time, an amendment to the Right to Information Act has come into force, restricting the disclosure of personal information about public officials. The change has drawn criticism from civil society groups and transparency advocates.
The new rules outline how the law will apply to companies handling large volumes of personal data. The Centre will classify certain entities as “significant data fiduciaries” based on the scale and sensitivity of the data they process and the potential risks to national security, public order, electoral integrity, and sovereignty.
Once classified, these companies will be required to process certain categories of personal data only within India. Large global technology firms such as Meta, Google, Apple, Microsoft, and Amazon are expected to fall under this category.
The rules also require companies to put in place systems for verifying parental consent before processing the personal data of children. The government has left it to companies to choose how they want to implement this mechanism.
Read Also: IIT Bombay Finds New Seawater Air Conditioning System That Saves 79% Energy For Data Centres
In cases of data breaches, companies will have to notify affected individuals without delay. They must disclose the nature and timing of the breach, its impact on users, and the steps being taken to address the incident. Penalties for inadequate security safeguards may go up to Rs 250 crore.
Concerns have previously been raised about the wide-ranging exemptions granted to government agencies under the Act. These exemptions allow the government to process personal data without many of the law’s restrictions for reasons related to national security, relations with foreign states, and public order. The provisions have also sparked debate over their impact on the Right to Information Act.
(With inputs from The Indian Express)
