Rules for the Digital Personal Data Protection Act, 2023 will come out in the coming month, Minister of State for Electronics and Information Technology Rajeev Chandrasekhar said on Wednesday. Mr. Chandrasekhar was speaking at a “Digital India Dialogues” event, where industry representatives from firms that will have to comply with the requirements of the DPDP Act were present.
The Act itself has not been notified, even though it received the President’s assent after being passed in the monsoon session of Parliament. Different portions of the Act will come into effect after the IT Ministry passes notifications to give them force and prescribe further rules. “We will also work on forming the Data Protection Board [of India] in the upcoming month,” Mr. Chandrasekhar said in a press note, referring to the adjudicatory body that will be set up to hear complaints on data breaches.
Explained | What is the Data Protection Bill of 2023?
The DPDP Act sets out requirements for protecting Indian residents’ data when it is stored digitally, and will impact a range of businesses, from social media platforms to online retail companies. Government and law enforcement agencies enjoy broad exemptions from the law’s requirements.
“We think of three categories of companies that are differing in terms of transitioning,” Mr. Chandrasekhar said. State and panchayat-level government bodies, early-stage startups and MSMEs may have some extra time to comply with the Act’s requirements due to their limited “sophistication” in data management, he said. “The rest of the world,” Mr. Chandrasekhar said, would have to comply.
Mr. Chandrasekhar ruled out compliance timelines longer than a year. “The government’s thinking is, to a large extent this Act can be complied with by most of the data fiduciaries” quickly, he said.
There will be a “one day session” consultative process to discuss the rules to be notified before they are enforced, Mr. Chandrasekhar further added. “The Act’s objective is to create a culture of behavioural change among all those who deal with personal data and create the change required to make them responsible.”