The Indian government has officially set in motion the country's first comprehensive data protection framework, with the Ministry of Electronics and IT notifying the long-awaited rules. This pivotal move establishes a functional privacy law eight years after the Supreme Court recognized privacy as a fundamental right.
Shorter Compliance Timeline on the Horizon
In a significant development, Union IT Minister Ashwini Vaishnaw announced on Monday that the government is actively consulting with industry to compress the current compliance timeline. The initial rules provide a 12 to 18-month window for entities to adhere to the new regulations, a period the Minister indicated will be shortened soon via an official amendment.
When questioned about granting the same timeline to both Big Tech corporations and domestic startups, Minister Vaishnaw acknowledged the disparity. He stated, "It is right that big companies already follow laws like Europe's General Data Protection Regulation (GDPR). We will compress the timeline. We will amend the law."
Key Provisions and Phased Implementation
While the Digital Personal Data Protection Act (DPDP Act) is now operational, its core protections for citizens will be implemented in phases. Some of the most critical elements, including the requirement for entities to obtain informed consent before processing personal data and the obligation to notify users of data breaches, will only become fully effective after the compliance period.
The government has also established the Data Protection Board of India (DPB), the primary body tasked with ensuring compliance. A controversial provision amending the Right to Information (RTI) Act, which restricts the disclosure of personal information about public officials, has been implemented concurrently.
Data Localization and Stricter Rules for Major Players
The new rules introduce a form of data localization, mandating that a government-formed committee will specify the types of personal data that "significant data fiduciaries" must process within India. This requirement, which the tech industry has historically resisted, is expected to face pushback from global technology giants.
Companies like Meta, Google, Apple, Microsoft, and Amazon are anticipated to be classified as significant data fiduciaries based on the volume and sensitivity of the data they handle and potential risks to national sovereignty and security.
Other crucial mandates include the implementation of a mechanism for collecting verifiable parental consent for processing children's data. In the event of a data breach, companies must inform affected individuals "without delay" and provide a detailed description of the incident. Penalties for failing to prevent breaches can reach up to Rs 250 crore.
The notification of these rules on Friday marks the culmination of a process that began when the DPDP Act received the President's assent in August 2023, finally giving India a structured legal framework to protect the digital privacy of its citizens.
