DPDP Act draft rules expected within two weeks; transition period likely to be restricted to 6 months

The Centre is likely to release the draft rules under the Digital Personal Data Protection (DPDP) Act, 2023 within the next two weeks.

According to the sources close to the development, the compliance or transition period under the same will likely be kept between six to eight months only, with provisions for up to Rs 250 crore penalty for any data breach.

This is said to be a major setback for social media companies and telecom operators who have been lobbying for a transition period of 18-24 months at least to fully comply with the Act, because of the technological complexities and complete overhaul of the present consent manager framework.

Many of these companies use legacy systems to store data and hence are likely to struggle while aligning data management processes to the Act.

According to another source familiar with the matter, the transition period could be more stringent for established bigger players as compared with smaller entities.

It is to be noted that data privacy laws including the General Data Protection Regulation (GDPR) and Singapore's Personal Data Protection Act (PDPA)- from where the DPDP Act has taken inspiration, gave companies around two years to make the transition, change business practices and then were levied with the penalty violation.

Read more: BREAKING: DPDP rules will soon be released for public feedback, says Ashwini Vaishnaw

"The compliance aspect will be challenging because the Act is going to create a complete overhaul in business operations and the industry has not yet fully understood it. Tech giants will have it comparatively easier because they've been complying with the procedures of other countries but Indian corporates are going to face a lot of challenges. Companies haven't fathom the amount of resources and time which will be required to comply with this law," pointed out Akshayy S Nanda, Partner, Saraf and Partners.

In fact, mar-tech agencies will be amongst the most impacted.

"Companies who already have existing marketing databases but don't have consent, will now have to delete the data from the database. Neither you can use it nor you can store it under the new Act. Companies have to figure out different ways of to actually gather, collect and build database for marketing purposes from the scratch," Nanda explained.

However, early-stage startups are likely to be given 3-6 months as the grace period to test their products during which they will be exempt from certain stringent provisions

The Act has seven critical guiding principles. One is lawfulness, fairness and transparency of processing personal data- one can only process personal data in a lawful manner by having the consent, while all processing has to be done in a fair manner. Meanwhile, providing adequate information to the individuals regarding what is the personal data that is being collected and for what purpose. The second guiding principle is purpose limitation- the law provides that if one collects the personal data for a particular purpose, it can not be used for any other purpose.

Third is data minimisation. For years, companies have been collecting personal data and storing for future monetisation purposes. With the new Act, once the purpose for which the personal data was collected is completed, one can't hold on to that data for perpetuity. Fourth guiding principle is accuracy, which is the obligation on companies to ensure that data is kept accurate and correct.

Fifth is data minimisation, which means that companies can only collect personal data which is necessary for them to provide the services. Sixth is integrity and confidentiality, ensuring that personal data is protected and there is no personal data breach. And lastly is accountability.

DPDP Act basically aims at data minimisation, purpose limitation and storage limitation and once implemented, all digital platforms will have to take the consent from each of their users- for the consent, purpose or future usage. Additionally, companies with large volume of data will also have to appoint data protection officers, who will be the point of contact for the grievance redressal mechanism.

Read more: Is India’s DPDP Act a Blueprint for Global Data Protection Standards?

However, the stakeholders have been raising objections regarding the notification of personal data breaches. The law provides that in case of a personal data breach, one will have an obligation to notify the regulator, which is going to be the Data Protection Board.

Also, there is no risk threshold. "Under the global laws, there is a risk threshold regarding notification to the regulator because there can be several data breaches where there is no risk. In DPDP, there is no risk threshold and the penalty for not notifying the regulator can go up to Rs 200 crore," Nanda highlighted.

The Act carries the obligation for the companies/entities to provide a privacy notice to the individuals- which will consists the purpose of the collecting the personal data, kind of data collected and the rights that the individuals have under the law. The is to be drafted in a simple language, with no legal jargon, and in 23 different languages.

The DPDP Act was passed by Parliament on August 9, 2023 — about six years after the Supreme Court upheld privacy as a fundamental right. Despite being announced last year, the Act has not yet taken effect since its rules and regulations are still have not been released or finalised.