Centre weighs shorter DPDP compliance window, says industry already meets global data norms

New Delhi: The Digital Personal Data Protection (DPDP) rules, which currently offer an 18-month transition period for companies, may see this timeline "compressed" for large companies as the government engages with industry stakeholders on the issue.

Big tech firms and many large companies already abide by stringent data protection standards in many other markets, among them the General Data Protection Regulation (the European Union's data privacy and security law) and this argument has prompted discussions about faster implementation of the new rules in India.

About the rationale of the 18-month transition time, when, in fact, many large companies are already complying with stringent norms elsewhere, IT Minister Ashwini Vaishnaw said the government is already in touch with the industry on the issue.

"We have been discussing with industry... the first set of rules has been published, and this gives a reasonable timeframe depending on what the industry's ask was and what our thrust was."

He added, "But we are also in touch with the industry to further compress the time required for compliance because... the same argument we have given to the industry is that you already have a compliance framework that exists in other geographies... why can't you replicate...?" Vaishnaw said, responding to a question on why large tech companies have been given the same compliance timelines as, say, startups.

The industry has been "quite positive" in these discussions.

"So as we go forward, once the data protection board is put in place and the complete digital framework, which has already been prepared, is rolled out... after that we will have further amendments in rules so that we can compress the timelines," Vaishnaw said.

The DPDP rules that operationalise the principal legislation come into effect through a staggered timeline, allowing 18 months for companies processing personal data to shift to the new regime.

The provisions around the Data Protection Board, which will be responsible for overseeing enforcement and implementation of the DPDP Act and its rules, including handling complaints, conducting inquiries, and ensuring compliance with data protection obligations -- come into force immediately; while the consent manager framework activates after 12 months, and compliance obligations like user consent notices, security safeguards, data rights, and breach notifications apply after 18 months.

The DPDP rules spell out operational norms for entities in the collection and handling of personal data and protect the rights of individuals.

"Data protection rules will be a major change in the way our citizens' data and privacy is protected by the digital ecosystem. The rules are in a simple language, highly focused on implementation; we have considered all inputs from industry and citizen groups," Vaishnaw said.

India is prioritising the creation of a new legal framework tailored for the digital world. Such a regulatory and legal structure is essential for protecting society from the challenges posed by disinformation and deepfakes, the minister said, emphasising the need for a broader scope that incorporates expert contributions and robust techno-legal measures to effectively address the nuances of digital world.

"The way digital technologies and new opportunities are coming up, protecting the interests of citizens and the coming generations is of the utmost importance," the minister asserted.