MeitY Seeks Industry Views on Fast-Tracking DPDP Act Rollout
The Ministry of Electronics and Information Technology (MeitY) has requested input from social media platforms and digital companies regarding expediting the enforcement of important provisions within India's Digital Personal Data Protection (DPDP) Act and Rules.
This includes consideration of reducing the compliance period for data fiduciaries from 18 months to 12 months.
Also Read: SFL Bolsters India’s Youth Sports Pathway with Leadership Bench
In correspondence sent to various platforms subsequent to a meeting on January 22, the ministry has disclosed its contemplation of three significant modifications to the enforcement plan.
The ministry has also requested feedback from industry stakeholders by February 4, as per reports. In the proposed modifications, MeitY is contemplating the immediate implementation of Rules 15 and 23 of the DPDP Rules, as well as putting Rule 8(3) into operation within a timeframe of three months.
Rule 15 outlines the circumstances in which personal data can be utilized for research, archiving, and statistical purposes in a de-anonymized manner, while Rule 23 addresses various procedural elements within the DPDP framework.
The government aims to implement Rule 8(3) within a three-month period, enabling data fiduciaries to extend the retention of personal data beyond its initial purpose in instances dictated by law, court mandates, or investigative and legal proceedings, under specified protections and precautions.
Also Read: Nestlé India Names Nitu Bhushan as HR Head
In the meeting held this month, officials presented recommendations aimed at expediting enforcement timelines for multiple regulatory provisions. One specific suggestion proposed was the immediate enforcement of rules pertaining to cross-border data transfers and personal data classification, based on the argument that they do not necessitate substantial infrastructural enhancements by companies.
The ministry has suggested a shorter enforcement period of 12 months for Rule 13, which pertains to the responsibilities of Significant Data Fiduciaries (SDFs). This entails guidelines regarding the handling of certain types of personal data within India, as advised by a committee appointed by the government.
One additional proposition being explored involves the prompt implementation of Section 17(2) of the DPDP Act, necessitating notification of authorized entities and establishment of an exemption system for specific data processing activities.
Major technology corporations are anticipated to be categorized as Significant Data Fiduciaries upon the commencement of official designations, taking into account criteria such as the quantity and sensitivity of personal data handled, as well as the potential threats to national sovereignty, public stability, and electoral fairness. Within the DPDP framework, SDFs will be subject to heightened regulatory obligations, such as mandatory annual assessments on data protection impacts, external audits, and the responsibility to guarantee that algorithmic systems handling personal data do not violate user rights.
Also Read: BCIC, IIID Sign MoU to Enhance Bengaluru’s Urban Infrastructure
Additionally, the regulations grant the Centre the authority to impose limitations on international data transfers for specific types of sensitive personal data. The government's decision to shorten compliance deadlines is expected to encounter opposition from the industry. The industry has consistently contended that meeting DPDP requirements necessitates significant technical and operational modifications to data infrastructure, consent systems, and mechanisms for addressing grievances.