Big Tech's Compliance Timeline Shortened in India
The Indian government is taking significant steps to enhance data protection, particularly concerning major tech companies such as Meta, Google, and Amazon. The Ministry of Electronics and IT (MeitY) is contemplating a reduction in the compliance timeline for these firms under the Digital Personal Data Protection Act, 2023. Currently set at 18 months, this timeline may be shortened to 12 months, reflecting the government's aim to establish distinct compliance standards for large corporations and startups.
This proposed change has raised eyebrows across the tech industry, as it could lead to a wave of resistance from these big players. The government is particularly focused on 'significant data fiduciaries,' which are tech companies that handle a large volume of sensitive personal data. These companies will be required to follow stringent rules, including conducting annual data protection impact assessments to ensure their practices do not infringe on users' rights.
Under the new rules, the Centre will specify what kinds of personal data significant data fiduciaries can process. This will include restrictions on transferring any personal or traffic data outside of India. By compressing the compliance timeline, the government believes that larger companies, which already adhere to strict regulations like the General Data Protection Regulation (GDPR) in Europe, will have the capacity to meet India’s requirements more efficiently.
Moreover, a government committee is expected to be formed soon to determine the types of personal data that must be stored within India. This swift action demonstrates the government’s commitment to establishing a robust privacy framework, which has been a long time coming since the Supreme Court recognized the right to privacy as a fundamental right eight years ago.
Despite these advancements, there are concerns about how the new regulations will be implemented, especially regarding the mechanisms for obtaining parental consent for processing children's data. The government has left it up to companies to devise their own systems, which may pose challenges.
In the event of a data breach, companies will be mandated to inform affected individuals promptly about the breach's nature, extent, and potential consequences. Failing to implement sufficient safeguards could lead to hefty penalties, potentially reaching up to Rs 250 crore. While these regulations aim to enhance data security, they also face scrutiny for providing broad exemptions to the government for processing citizens' data on grounds of national security and public order.
As these developments unfold, the balance between protecting citizens’ data and ensuring that businesses can operate effectively will be critical. The coming months will determine how these regulations are received by the industry and their actual impact on data privacy in India.
