Staggered compliance period required under Privacy Act: Nasscom to IT Ministry
Nasscom pointed out that organisations that have no data prior data protection experience will need to build their compliance programmes from the scratch and will thus need most amount of time.
The Ministry of Electronics and Information Technology needs to consider staggered deadlines for complying with the pending Digital Personal Data Protection Rules, leading industry body Nasscom said in a representation to the government. Nasscom, after discussions with the industry, pointed out that organisations that have no data prior data protection experience, such as government organisations, logistics companies, professionals, offline retailers, research institutes and schools, will need to build their compliance programmes from the scratch and will thus need most amount of time.
Even organisations that have prior foreign data protection experience will need time to comply with India-specific elements under the Digital Personal Data Protection Act, Nasscom said. The industry body pointed out that unlike foreign data protection laws where the data principal is defined only as an individual, under the Indian act, a data principal can also be a group of individuals, such as parents and children, and people with disabilities and their legal guardians.
Nasscom also pointed out that under the DPDP Act, withdrawal of consent triggers erasure of personal data, a requirement that does not have a parallel in foreign laws. “This requires new technical measures to be deployed, which will take time to develop and test before deployment can happen at scale,” the body said.
Last month, IT minister Ashwini Vaishnaw had said, “The government is not inclined [to give companies 12-18 months to comply with the Act]. Why should people ask for so much time for data protection? Practically the entire industry is attuned to it given that the [the European Union’s] GDPR, Singapore Data Protection Act, etc. have been in effect,” he said.
Vaishnaw had also said that the 25 sets of rules that are required to enact the DPDP Act would be released in one go and will be notified at the same time. He had said that the draft rules would be placed in the public domain for public consultation for at least 45 days.
Nasscom pointed out that the default practice is to give 30 days for “one” set of rules. Thus, the organisation asked MeitY to give “adequate and proportionate time” to receive public comments.
Outside of the impending Rules, under the Act, the central government needs to notify certain data fiduciaries --- that is the person or entity that determines the purpose and means of processing personal data --- as significant data fiduciaries. Being a significant data fiduciary attracts additional obligations and companies want clarity on whether they would be SDFs, Nasscom said.
Similarly, the Act also empowers the central government to exempt certain data fiduciaries, including startups, from different obligations. These obligations include, amongst other things, the need to obtain verifiable consent of the parent or legal guardian of a child. The eligibility for such exemptions will not be prescribed through rules but through notifications by the central government. “Organisations need to know if they are eligible for such exceptions,” Nasscom said.
It is only after the rules are finalised and additional notifications by the central government are made that organisations can estimate how much time and resources they would need to comply with the Act, Nasscom pointed out.
Nasscom also pointed out that apart from the rules and notifications, certain concepts under the law require clear guidance from the ministry. These include the meaning of “purposes of employment” under section 7(i), “technical and organisation measures”, “security safeguards”, “detrimental effect on the well-being of a child”, amongst other terms.