India has put the Big Tech companies on notice for complying with the Digital Personal Data Protection Act 2023, a much-debated law that received approval from both the Houses of Parliament and President in August. However, the tech companies have a grace period of up to 12 months to comply with the new legislation. Notably, platforms such as Google and Meta have been instructed to commence preparations immediately. IT Minister Rajeev Chandrasekhar emphasised that these platforms must provide compelling reasons to justify any request for a transition period, as they are already compliant with the European General Data Protection Regulation (GDPR).
While the EU’s GDPR, enforced in 2018, is renowned as one of the world’s strictest privacy and security laws, this is India’s first shot at legislation for addressing citizens’ online privacy. This Act establishes guidelines on how individuals’ data can be utilised by private or government entities. Under this privacy law, companies are obligated to gather personal data through a consent-based mechanism. Non-compliance may result in penalties of up to Rs 250 crore.
Recognising the significant shift for startups, government entities, and micro, small, and medium enterprises, a phased approach is under consideration for the transition period. Government entities, such as those at the central or state level, panchayats, and MSMEs lacking digital readiness for data storage or processing, are likely to receive the longest transition time. Smaller private entities and startups will follow suit.
The Ministry of Electronics and Information Technology (MeitY) has engaged with stakeholders to discuss the industry roadmap for digital data privacy law and clarify any doubts companies may have about the recently passed legislation. The government is slated to release draft rules for enforcing the law within the next four to six weeks, along with the establishment of a data protection board in the coming 30 days.
Data protection Act 2023
India’s privacy law was enacted after public consultation on a draft bill, despite controversy and criticism from privacy activists. This law imposes stringent penalties, including fines of up to Rs 500 crore for individuals and companies failing to prevent data breaches, including accidental disclosures, unauthorised sharing, tampering, or destruction of personal data.
The legislation also mandates obtaining consent before collecting personal information. It grants individuals (referred to as Data Principals) authority over their personal digital data while obligating enterprises (Data Fiduciaries) to lawfully process personal data for specific purposes. The law also mandates the formation of the Data Protection Board (DPB) staffed by professionals.
However, a major issue with the law is that companies involved in data breaches can voluntarily disclose the breach and pay a penalty as a form of plea bargaining. The law also decriminalises most provisions related to data breaches, designating the DPB as the central authority responsible for imposing penalties in such cases. This has raised concerns about a dilution of the law.
The Bill had a provision of deemed consent, allowing government departments to assume consent for processing personal data on grounds of national security and public interest. Critics saw this as a potential threat to the autonomy of the proposed data protection authority. However, the government assured that the adjudicating authority would primarily consist of independent industry experts rather than government officials.
The privacy Act lays down broad principles of data protection, with a rulebook expected to outline the implementation roadmap and processes. Currently, the Act defines 26 items on which the government can create rules.
Implementation of the Privacy Act is anticipated to face several challenges, particularly concerning compliance costs for businesses, especially small and medium enterprises, which could rise significantly. Penalties for non-compliance can reach up to Rs 250 crore.
Additionally, while the government believes individuals can consent to their own data, it is evident that even technologically literate individuals may struggle to grasp the intricacies of data privacy. Experts contend that the law may remain ineffective as individuals may not be fully aware of their rights and the details of what granting consent entails.
As with emerging technologies, the government must ensure that the law evolves at the same pace as technological advancements. For instance, while the EU moved forward with AI regulation, it is now grappling to incorporate newer technologies like ChatGPT and Bard into its regulatory framework. By the time improved regulations emerge, technology may have advanced further.