Data Protection Law To Be Implemented In 10 Months; Big Tech Firms Will Have To Comply First

The Digital Personal Data Protection law would be implemented in roughly 10 months, the government has said, news agency PTI reported. Union IT Minister Ashwini Vaishnaw has said that the Centre has started work on its implementation. The Digital Personal Data Protection Bill (DPDPB), 2023 was cleared by the Parliament on Wednesday. The bill was passed in the Rajya Sabha by a voice vote amid sloganeering by the Opposition. The DPDPB comes six years after the Supreme Court (SC) declared that the "Right to Privacy" was a fundamental right. The bill would be sent to President Draupadi Murmu for assent. After it is officially notified in the gazette, the bill would become law.

Vaishnaw said that the data collected by the citizens should be used as per the law, only for the purpose for which it has been collected and the quantum of data should be limited to the requirement. He also mentioned that DPDPB has laid down several obligations on private and government entities on the collection and processing of every citizen's data.

"...This kind of legislation will require a 6-10 month kind of frame. We will take every step with proper checks and balances. It is a guesstimate. We might do it faster than that," Vaishnaw was quoted by PTI.

According to a report by Indian Express, the government would "follow a graded approach" in the way the data protection bill is implemented for different entities. Big Tech companies Facebook, Google, Amazon, Microsoft and Apple are first in line to be transitioned and startups and smaller would be given a longer transition timeline, Minister of State for Electronics and IT Rajeev Chandrasekhar was quoted as saying in the report.

One of the key highlights of the bill is that businesses and companies can't process personal user data without their explicit consent. The bill has done away with jail terms and criminal penalties, envisioned under the older versions. The DPDPB also suggests a penalty of up to Rs 250 crore per instance of data breach and a maximum penalty of Rs 500 crore for all such breaches.

Unlike the approach of major data jurisdictions, for example in the European Union (EU), the bill has also moved to a "blacklisting" approach for cross-border processing of personal data and transfer. This means that the Centre would determine certain regions where data cannot be processed, unlike in the EU where the approach is to identify and whitelist regions that follow and implement adequate legal standards for processing data within their geographies.