'Unless the government comes up with the rulebook, the technical requirements will not be clear to us.'
'Going by the Act, non-technical provisions can be complied with within six months.'
'But we need up to 24 months for provisions like parental consent.'
The government may not table the rules to enforce the provisions of the Digital Data Protection Act, 2023, in the upcoming winter session of Parliament, further delaying the implementation of the law enacted in August, Business Standard has learnt.
"Though the rules are ready, they are expected to be released for public consultation only around mid-November," a senior government official said on Thursday.
"Once the rules are notified, there will be a consultation period of 45 days, followed by the setting up of the Data Protection Board."
As India's first-ever dedicated legislation for digital privacy, the DPDP Act provides broad principles of collection and processing of personal information in digital form.
The Act prescribes monetary penalties of up to Rs 250 crore (Rs 2.5 billion) for each instance of a data breach and blocking of entities in case of repeated violations.
However, the way of implementation and the exact processes will be 'as may be prescribed' in the rulebook.
The Act has defined 26 matters on which the government can make rules to enforce the provisions of the Act.
"Unless the government comes up with the rulebook, the technical requirements will not be clear to us. Going by the Act, non-technical provisions can be complied with within six months. But we need up to 24 months for provisions like parental consent," an industry executive said.
Alarming incidents of data leaks in recent months have intensified the need for the enforcement of the data protection law.
Last month, around 815 million records of personally identifiable information of Indians were found to be put on sale on the Dark Web, according to a report by US-based cybersecurity firm Resecurity.
"While the Act creates a legal structure for enforcement of rights related to personal data and penalties for erring entities, citizens cannot pursue these legal remedies until the DPB (Data Protection Board) and relevant rules are notified. So at best, the Act is currently providing guidance to data fiduciaries to update their processes and priorities," said Nikhil Iyer, senior policy analyst, TQH Consulting.
While the government wants big companies to comply with the law as soon as it notifies the rules, major industry bodies have been asking for more time to implement the changes required under the Act.
Local and global companies such as social-media giants, big tech platforms, and fintechs are lobbying for 18 to 24 months of a 'transition period'.
Last fortnight, Ashwini Vaishnaw, Union minister of communications and information technology, called the industry demand for a longer transition period 'unnecessary'.
Companies are worried about some provisions of the law, including the role of data fiduciary and the consent manager framework.
"Without the rules, the data fiduciaries have little clarity on the exact legal mechanisms they have to follow and implement. This may lead to a situation where they are held responsible for certain acts they could not have known were going to be declared illegal under the rules," said Iyer.
He noted that it is important to provide clarity on the rules and expedite the consultation process.
"Though there's a delay in the rules getting notified, this doesn't mean that whatever is happening till the notification of rules may not come under scrutiny. So anything which is happening at this moment could also fall under the scrutiny of the Data Protection Board," said Kamesh Shekar, senior programme manager at The Dialogue.
There is a possibility for retrospective actions since the data protection legislation has been passed, he added.
Feature Presentation: Rajesh Alva/Rediff.com
1 year likely to comply with data protection norms
'Data protection bill veered away from core issues'
Data protection bill may threaten innovation, growth
Govt withdraws Data Protection Bill from Lok Sabha
Why India needs a Data Protection Law