The draft DPDP rules were published late last night. The rules have come more than 16 months after the parliament passed the DPDP Act in August 2023. The draft rules are open to public comment until February 18. The industry had been clamouring for these rules for guidance in preparing systems for compliance with the DPDP Act.
On the delay, the Minister said that despite the 2024 Lok Sabha elections, the government has arrived at a law and rules that provide a completely digital workflow.
On the obligations of the industry, the minister assured that the compliances are consistent with the Supreme Court’s privacy judgment. For clarity, he assured that the rules are in simple language, supported with illustrations.
He also noted that the rules could not have been made prescriptive to enable the law to keep pace with fast-changing technology. He also cited from technology ministers of other countries that the compliance burden that the European laws had burdened their companies will not be seen in India.
On the issue of compliances like the Data Protection Officer prescribing “reasonable” security measures and norms for storage and processing data, impacting smaller companies, Vaishnaw clarified that most of the requirements are already common industry practices. He assured that the government has worked closely with the industry on formulating these requirements. He further assured that the industry will be allowed two years to fully comply with the law and rules.
On the issue of rules requiring companies to take parental consent for children, the Minister said that draft rules provide a digital mechanism where existing digital architecture can be used for migration using digital tokens. He clarified that the industry has been widely consulted. He noted that there’s a big possibility of harm to children, and the government needs to guard against it.
The rules have also introduced a power where the Centre can prescribe what kinds of data can be sent overseas. The minister said that this power prescribed under the rules is consistent with the DPDP Act. He clarified that the rules merely provide for situations like the RBI directing for financial data to be stored in domestic servers.
The rules also provide an exemption from the Act to the government and related entities. As per the rules, government entities providing subsidies, benefits, licenses, or permits are exempt. Vaishnaw said that the law and rules apply to all entities collecting data. He explained that if consent has been provided for one service, the recipient should not be required to give consent all over again for another government service.
(Edited by : Ajay Vaishnav)
First Published: Jan 4, 2025 6:06 PM IST