Communications and IT minister Ashwini Vaishnaw on Wednesday said the government will consult industry on the transition time to comply with the provisions of the Data Protection Bill.
The Bill, which has been approved by both Houses of Parliament, will now be presented before the President for final approval, after which it will become an Act.
“We expect to soon implement the provisions of the Bill. Whatever discussions we have had with the industry so far, they are ready (to comply) with this new legislation,” Vaishnaw told reporters after the Bill was passed in the Rajya Sabha on Wednesday.
Asked about further discussion with the industry, Vaishnaw said, “Of course, the government will consult industry and will accordingly decide on the time for compliance related to the provisions of the Bill.”
The statement assumes significance because while the industry has appreciated the Bill, it has said implementation will be cumbersome.
Once the Bill becomes an Act, the government will notify a rulebook to guide the industry on provisions of the legislation.
According to officials, the government expects the Bill to be implemented in up to six months in terms of putting in place a complete system for consent and data management.
“We have to be extremely careful at every step because this is a very big change. So we will take every step with proper checks, proper balance, and proper verification,” Vaishnaw said, adding that the government will soon implement the provisions of the Bill and put a system in place.
With regard to cross-border data flow, the government will permit different sectors to frame their own guidelines with approval from the government.
According to Vaishnaw, pre-existing regulations for sectors supervised by different regulators will supersede the provisions of the data protection Bill in case of any contradiction. Further, provisions of the Bill will be applicable to foreign citizens who are in India, whereas for Indian citizens travelling abroad the norms of the respective country will be applicable, Vaishnaw said.
With regard to the exemptions on some data fiduciaries and startups, the government will soon come up with a regulatory sandbox wherein upon proper verification, the companies will get exemption from some provisions. Vaishnaw, however, clarified that such companies will not be exempted from penalties in case they violate the Bill.
On Opposition comments on setting up different data protection boards at the state level, Vaishnaw said there is no need for such boards as the functioning of the Data Protection Board will be digital by nature.
Murali Rao, cybersecurity consulting leader at EY India, said, “As the next steps towards the enforcement journey, a Data Protection Board needs to be set up and rules to be released through separate notifications, which could be for specific parts of the law.”
According to Rao, there are implementation complexities that could prove to be a challenge for organisations, such as ensuring verifiability of parental consent for processing personal data of children, building a mechanism for obtaining and recording consent of data principals through a consent manager.
Sivarama Krishnan, partner of risk consulting at PwC India, said, “The Bill places reasonable obligations on data fiduciaries, ensuring responsible handling of digital personal data. Introduction of consent managers, additional obligations on significant data fiduciary and verifiable parental / guardian consent for are welcome inclusions to Bill.”
According to Shreya Suri, partner at INDUSLAW, the heavy penalties attached to breach mean that data fiduciaries must proceed with due care and err on the side of caution. “Overall, this Bill is a positive and a much-needed step for India and will also help position India as a viable jurisdiction for data adequacy arrangements with other progressive nations,” Suri said.