The government’s approach towards implementing the Digital Personal Data Protection (DPDP) Act broadly reflects a pragmatic and balanced strategy, considering the complexities of transitioning industries to a new legal framework. One of the most commendable steps is the 45-day window provided for public consultation. This time frame, coupled with the decision to release the draft rules after the Christmas and New Year holidays, allows key stakeholders, particularly global technology firms often operating with reduced capacities during this period, an adequate opportunity to participate meaningfully in the feedback process.
The government’s nuanced stance on data localisation is another sensible measure. Rather than imposing blanket restrictions, a government-appointed committee will evaluate localisation requirements on a sectoral basis, ensuring that critical personal data remains within the country’s borders only when absolutely necessary. This selective approach balances the need for safeguarding sensitive information with the operational realities of global businesses. For example, if the health ministry is of the view that health record of citizens should not go out of the country, the suggestion will be reviewed through consultations before implementation, mitigating the risk of disruptions to cross-border data flows.
Equally prudent is the Act’s provision for parental consent in processing children’s data. By requiring data fiduciaries to verify parental consent for minors under 18 through digital tokens, the government addresses the vulnerabilities children face in the digital world. This model strikes a balance between safeguarding children’s privacy and allowing access to digital platforms. It is a more practical alternative to Australia’s restrictive approach, where children up to a certain age are barred from accessing social media. The DPDP Act also incorporates mechanisms to ensure transparency and accountability. Provisions for voluntary disclosure of data breaches incentivise organisations to proactively report incidents, fostering trust in the data protection ecosystem. Simultaneously, significant penalties for non-compliance underscore the seriousness of safeguarding personal data. Additionally, the thought that a two-year transition period should be given to businesses to comply with the Act reflects the government’s commitment to ensuring a smooth shift to the new framework.
Electronics and information technology (IT) minister Ashwini Vaishnaw has clarified in the past that the DPDP Act adheres to the principles established by the Puttaswamy judgment, which upholds the balance between privacy and transparency. Existing laws mandating disclosure of public servants’ information will remain unaffected, addressing fears of diminished accountability. It’s a fact that by fostering collaboration with stakeholders, prioritising sectoral needs, and adopting practical measures like parental consent mechanisms, the ministry of electronics and IT (MeitY) has taken a significant step toward ensuring robust data protection while minimising disruptions to industry.
But there is a flip side as well. Retention of broad discretionary powers under the guidelines leads to policy unpredictability, leaving too much room for the government to act on a case-by-case basis. This could hamper compliance efforts, as stakeholders struggle with unclear rules and inconsistent enforcement. The ambiguity and potential legal challenges may benefit law firms, while businesses and stakeholders face heightened compliance costs and regulatory unpredictability. Also, the entire process can be time-consuming, while data protection has become an urgent need for the citizens. Overall, such debates are inevitable and healthy, and the government would do well to fine-tune the new rules further after extensive discussions with stakeholders. After all, a lot is at stake as the new rules will bring in a massive change in how India views and uses the internet.