Thursday, July 25, 2024
HomeBusinessData protection board, major rules likely in a month: MoS IT Rajeev...

Data protection board, major rules likely in a month: MoS IT Rajeev Chandrashekar

The Centre will set up the data protection board (DPB), a key organisation for grievance redressal under the Digital Personal Data Protection Act, within the next 30 days, Minister of State for Electronics and IT Rajeev Chandrasekhar said Wednesday.

He also said that over the coming month, the government will also issue ‘necessary’ rules that will offer clarity on some of the provisions of the law. As such some key rules, which are necessary to operationalise the law, will be released within a week, he said. “Around 8-9 key rules will be released, including those dealing with consent mechanisms,” Chandrasekhar said.

During a meeting with industry executives from top social media companies, lawyers, and industry bodies, Chandrasekhar also clarified that even though the data protection board does not exist as of now, entities that have faced a data breach since the notification of the law in August will be held accountable upon the formation of the board.

The consultation was attended by about 125 people representing various companies, including Meta, Lenovo, Dell, Netflix, among others.

The government will shortlist candidates for the data protection board in the coming days, Chandrasekhar told The Indian Express on the sidelines of the event.

“We will shortlist names for the board soon. Our thinking is, why not appoint young professionals instead of retired judges and bureaucrats,” he said.

Also Read | Entities may be given a year to comply with data protection norms except age-gating: MoS IT

The Digital Personal Data Protection Act, 2023, even though notified as law, depends heavily on subordinate legislation – at least 25 rules have to be formulated to operationalise the Act, and the government has also been empowered to enact rules for any provision that it deems fit.

Even though the industry has welcomed the Bill, there is a major sticking point that has consumer-facing platforms, such as social media companies, in a fix – obtaining parental consent before processing children’s personal data. Companies are looking forward to the upcoming rules to get more clarity on how the system can be operationalised.

A representative from Snap said that developing a mechanism to obtain such consent will require the “most engineering effort,” and suggested that companies be given a longer timeline period for certain specific provisions in the Act. A Meta representative echoed Snap’s views and said that wherever the obligation is unique to India, and where the obligation has a dependency on third parties and perhaps that third party doesn’t have a mature solution, a longer transition period should be allowed.

While Chandrasekhar seemed to agree with assertions made by Snap and Meta for a longer compliance period for specific provisions, he categorically said that the timeline can not be more than a year. “Age gating, parental consent requires an EKYC framework to be in place, so that will take a longer transition period. Not more than 12 months (will be given),” he said.

He also declined a request to exempt financial services companies from provisions of the Act, stating that the law provides for regulation by two bodies.

Reiterating that there will be a graded approach to compliance for different entities, Chandrasekhar said, “We are thinking that two categories of companies will have different thresholds of transition. First is some government entities that are low on digitisation, especially in the states and at the panchayat level, who will require slightly more time”.

“Then there are MSMEs, early stage start-ups and other institutions that have a vital public service such as hospitals and may not be aligned with the most sophisticated data management practices will certainly be given more time to comply,” he added.

Most Read 1Chandrayaan-3 mission: Dawn breaks on Moon, all eyes on lander, rover to wake up 2As Indo-Canadian relations sour, anxiety grips Indian students, residents who wish to settle in Canada 3Karan Johar says Sanjay Leela Bhansali did not call him after Rocky Aur Rani: ‘He’s never called me but…’ 4Shubh’s tour in India cancelled: Why is the Canada-based singer facing the music? 5Gadar 2 box office collection day 40: Hit by Shah Rukh Khan’s Jawan onslaught, Sunny Deol movie ends BO run with Rs 45 lakh earning

The law requires companies to gather personal data of users through a consent-based mechanism, even as it allows some relaxations to that end for certain “legitimate uses”. The penalty for not being able to take enough safeguards for preventing a data breach could go as high as Rs 250 crore.

The Data Protection Act also allows significant concessions to small businesses and start-ups from some key provisions including exempting them from the requirement to maintain the accuracy of a user’s personal data, which is to be used to make a decision that affects the user.

Also ReadAkasa Air CEO Vinay Dube defends decision to sue some pilots, assures emp…Sensex plunges 796 pts, Nifty closes at 19,901; HDFC Bank, Reliance weigh…Govt may soon tweak PLI schemes for pharma, textiles, dronesFrance’s TotalEnergies to invest $300 million in JV with Adani Group

The law has retained the contents of the original version of the legislation proposed last November, including those that were red-flagged by privacy experts, such as exemptions for the Centre. In its new avatar, the proposed law has also accorded virtual censorship powers to the Centre.

- Advertisment -

Most Popular