Data protection rules likely by year-end, says DSCI chief Vinayak Godse

DSCI chief Vinayak Godse says this will pave way for rollout of the data privacy law

The regulations for the Digital Personal Data Protection (DPDP) Act are likely to be published by the end of this year, paving the way for roll out of the data privacy law more than two years after its passage, Vinayak Godse, chief executive officer of the Data Security Council of India (DSCI), said.

 

“It seems to be in the last leg of deliberations and should happen before the end of this year,” Godse said during an interaction with Business Standard.

 

The Indian government has drafted and redrafted the rules and taken in suggestions from the relevant stakeholders, but is yet to make the Act come into effect due to a delay in the release of the administrative rules. Many say the government has gone slow in order to assess the impact of the regulations on all sectors – from banks and insurers to big technology companies.

 

Godse said that people have failed to understand the ramifications of the Act as it will change the way the country deals with data. He believes that it is better to take time to frame the rules rather than repent for being in haste.

 

“Millions of organisations in India are collecting and processing data, be it the government units or big tech companies and implementing this for all is a challenge. You have to be very mindful of how we bring this. It is not easy in a big country like ours. It is better to take time than repent later,” he added. 

 

According to Godse, India’s digital innovation such as UPI and Aadhaar have been world beaters and the country is putting a legislation which could probably put some spanners to the wheels of digitisation which are moving very fast.

 

“One has to be very mindful because it will be applicable for big tech platforms and even for banks and insurers, whose business is completely different.”

 

Specifically, Godse sees parental consent to children below the age of 18 years as a challenge. “It is difficult. How do you make sure of that without compromising on the privacy and the basic ethos of the Act. Even parents of kids between 14-18 sometimes let them use it. So how you capture this information is critical.”

 

The provisions of the DPDP Act cover almost all facets of online markets, including ensuring that the personal data of Indian users is not shared with governments of other countries. The government is also acting risk-averse at the moment to ensure that some valid concerns, which may have been overlooked during public consultations, are adequately addressed to avoid litigation later.

 

The DSCI has also submitted suggestions to the government on security safeguards, intimation of personal data breach, verifiable consent for children and people with disabilities and additional obligation of significant data fiduciary (SDF).

 

The Act also has provisions that place a larger burden on companies with a larger number of users. Such enterprises, referred to as SDF, can be classified by the government based on the volume and sensitivity of personal data being processed, the risks to user rights, and the potential impact on the country's sovereignty and integrity, among other factors.