The government has drafted rules under the Digital Personal Data Protection (DPDP) Act and intends to release them for public consultation soon, as announced by Ashwini Vaishnaw, the Minister of Electronics and Information Technology, during the India Mobile Congress on Friday.
The DPDP Act, a long-awaited legislation for data protection, received presidential approval on August 12.
Simultaneously, progress is being made on the digital infrastructure for the Data Protection Board, as required by the DPDP Act, which is anticipated to function primarily in a digital capacity. This involves the establishment of a digital system to receive and manage complaints, conduct hearings, and issue decisions.
In its current form, the Act strikes a well-balanced approach between fostering innovation and ensuring protection. Nearly every company we’ve consulted with is content with the Bill and eagerly anticipates its implementation, according to Vaishnaw.
Vaishnaw clarified the sequence of steps required for implementing the DPDP Act. Firstly, the draft rules will be made available for public consultation for at least 45 days. Concurrently, the digital infrastructure for the Data Protection Board (DPB) will be developed. Subsequently, the notified rules will be presented to Parliament for approval, and the DPB will be established following parliamentary approval. The earliest these Rules can be presented in Parliament, after notification, is in December, coinciding with the expected truncated winter session.
The DPDP Act mandates the notification of 25 sets of rules to enable the enforcement of the Act. Vaishnaw stated that all 25 sets will be released for public consultation simultaneously and will be notified concurrently.
Vaishnaw expressed that the government is disinclined to grant companies a 12-18 month grace period for compliance with the Act, questioning the need for such an extended transition period for data protection. He noted that the industry is already well-versed in data protection, given that regulations like the European Union’s GDPR and Singapore’s Data Protection Act are already in effect.
The Ministry of Information Technology has encountered challenges in crafting rules that extend beyond the scope allowed by the parent act. More than 20 lawsuits are currently pending against the Information Technology (Intermediary Guidelines and Digital Media Ethics Code) Rules, 2021, across various high courts and the Supreme Court. Among other issues, these legal challenges argue that the IT Rules 2021 exceed the authority of the parent act, the Information Technology Act.
Vaishnaw emphasized the high level of compliance among digital platforms, indicating that they have responded to government notices. He cited the Ministry’s recent notice to Telegram, YouTube, and X (formerly Twitter) on October 6 to remove child sexual abuse material (CSAM) from their platforms as an example.
Vaishnaw asserted that digital platforms should no longer benefit from unrestricted and unlimited immunity from liability for third-party content. He suggested that there is a growing global demand for strengthening the content moderation process, aligning with evolving societal expectations.