India is moving full-steam ahead in the hopes of having the quickest privacy law implementations to date. Minister of State for Electronics and Information Technology Rajeev Chandrasekhar sat with students at Delhi University and reiterated his hope for a swift timeline saying, “We may give a certain amount of time for platforms to migrate, to have consent managers, redesign their consent form, make sure data processing is aligned to the act…we will not give them 2 years. It will be some number, six months or something like that so that transition is orderly,” Chandrasekhar said.
Truyo President Dan Clarke says, “Chandrasekhar said very clearly it’s not going to be a 2 year timeline, he’d like it to be in 6 or 8 months. I don’t think this is feasible, but regardless, he’s emphasizing this is not going to be a long process. With the DPDPB closely resembling others laws that are already active, like GDPR, he feels organizations won’t be starting from scratch and don’t need a long lead time to comply.”
Learn About the Digital Personal Data Protection Bill
The DPDPB provides broad exemptions to government agencies, giving them freedom from gaining consent for the processing of personal data. Other potential exemptions would apply to certain data fiduciaries, calling out startups that may be harbored from complying with the right to access, notices, and data retention parameters. The tiered approach taken in the Digital Personal Data Protection Bill provides obligations to small companies that are less significant than those imposed on bigger companies.
India’s law has a wide reach, touching on a large number of US-based companies with employees and operations in the country. Much like California, India has appointed a group to oversee the law’s enforcement efforts. The Data Protection Board (DPB) is comprised of government-appointed members to review consumer complaints, investigate non-compliance, and levy fines.
Interestingly, the DPDPB outlines legal immunity to the DPB and its members for “anything which is done or intended to be done in good faith under the provisions of this Act or the rules made thereunder.”
In contrast to previous versions of the bill, there is a focus on data transfer restrictions rather than allowances. The 2023 DPDPB gives the government the authority to create a no-transfer list that they will disseminate and update as needed.
Over the next 6 months, we should see quite a bit of movement on rulemaking and implementation guidelines from the DPB as we inch closer to what could be one of the quickest comprehensive privacy law executions to date. The California Privacy Protection Agency’s rulemaking had a lengthier timeline with delays, whereas India’s DPB says a rulemaking draft is already complete and will likely be released soon.
If you have questions about how to implement the requirements of the DPDPB in your Truyo product, please reach out to your implementation manager. If you are not a Truyo client and would like to learn about how we help organizations comply, reach out to hello@truyo.com for more information.