India, which is one of the largest data markets in the world, will finally get its privacy law with the President’s assent. The government is now likely to move on to framing and rolling out the rules and regulations of the DPDP Bill. Officials had earlier told ET that the framing and rolling out of the administrative rules and regulations under the DPDP Bill would be done within the next six to ten months.
Minister for electronics and IT Ashwini Vaishnaw said on Twitter, “DPDP Bill becomes an Act. Received Hon’ble President’s assent.”
Calling it the “First big cyber law milestone” for what is being dubbed as India’s techade, minister of state for electronics and IT Rajeev Chandrasekhar said on Twitter “And the #DPDPBill is now law… next milestone is #DigitalIndiaAct – coming soon.”
The administrative regulations to be rolled out will be kept simple and there will not be a multitude of layers of rules, union electronics and information technology minister Ashwini Vaishnaw told ET last week.
Discover the stories of your interest
“The implementation structure will be entirely digital and work on the rules and regulation framework has already started. That will be rolled out in the coming months. In our constitutional and legal system, the rules are always in line with the law. They cannot go beyond and have to be within the four walls set by the law,” Vaishnaw had said.The rules will be implemented in such a way that the continuity of business is maintained and there will be ample time given for the rollout of the regulations, the minister of state for electronics and information technology Rajeev Chandrasekhar told ET.
“There are significant administrative steps that have to be taken. There is always the possibility that there are things that we have missed, overlooked or there are new challenges that are emerging. We want to make sure this is a big, successful first step in the creation of a standard cyber law framework,” Chandrasekhar said.
An earlier version of this law, called the Personal Data Protection (PDP) Bill, was withdrawn from the Parliament last year in August. An updated, slimmer version of the bill was introduced this year in the Parliament by Vaishnaw.
The law aims to give all citizens, also called data principals, tighter and better control over the use of their personal information by all kinds of companies, government agencies and businesses. Any agency which handled the personal data of citizens will be known as a data fiduciary.
Such data fiduciaries cannot process the personal data of any user without their explicit consent. Companies which process such personal data must obtain consent from the user by giving exact details of the purpose for which the data is collected and delete it as and when this consent is withdrawn as per the provisions of the law.
The law also states that the consent must be obtained in a clear and legible language of the choice of the user, provided the language is one of the 22 official languages as per the eighth schedule of the Constitution of India.
The new law also adopts a “blacklisting” approach for cross-border transfer and processing of personal data”. This means that companies will be free to transfer data to any country or geography of their choice, provided such country or geography has not been barred by the Indian government.
The central government, therefore, will by default trust all countries and data fiduciaries to store and process the personal data of citizens in a safe and trusted manner, Chandrasekhar had earlier told ET.
“In the event that there is any signal or sign or evidence that it is an untrusted geography where the DPDP is not being enforced, cannot be enforced, or data processes in that geography are wilfully negligent of the law or are violating the law, then that becomes a blacklist,” he had said.