India is prepared to repeal the country's data privacy laws.
The Indian government has created regulations that outline how businesses both domestically and internationally must protect the privacy of their residents' data.
The Indian government has created regulations that outline how businesses both domestically and internationally must protect the privacy of their residents' data. The Digital Personal Data Protection (DPDP) Act, India's first comprehensive national data protection law, was passed a year and a half ago. In addition to increased protections for children's data, the legislation established important privacy rights for Indian people, including the ability to view, update, rectify, challenge, port, and erase personal data. It also outlined several duties for data stewards, including the need to protect user data, ensure its accuracy, restrict its usage, and more.
Since the act was awaiting a set of precise implementation guidelines, organizations have not yet been compelled to modify their data trafficking operations. These draft regulations, which are intended to operationalize DPDP, were published on January 3 by India's Ministry of Electronics and Information Technology (MeitY). The DPDP Rules give businesses a framework for adhering to the act whenever the government starts enforcing it through 22 clauses and seven schedules.
"As the digital infrastructure in India has grown exponentially, the absence of safety mechanisms for individuals has left citizens vulnerable," states Pankit Desai, CEO and co-founder of Sequretek, of the years preceding this moment. This makes DPDP "a long-overdue landmark regulation." It is more than simply a set of regulations; it is an indication of India's willingness to put the well-being of its citizens first in the digital era.
India's Prolonged Data Privacy Journey
Khrarak Singh, a resident of Uttar Pradesh in northern India, was tried for gang robbery (dacoity) in 1941. Police continued to monitor him even after he was released due to the lack of proof. They went to his house at night, followed him around, and observed his work, social life, and habits, among other facets of his private life.
Singh eventually filed a petition, claiming that his constitutional rights had been infringed by the spying. Six judges of India's Supreme Court decided on December 18, 1962, that while some of the police tactics were harassment, many of their monitoring methods were lawful. They said that, according to the nation's constitution, privacy was not a fundamental right.
That continued to be the case until 2017 when the Indian government unveiled the "Aadhaar" project, which would have provided all citizens with identification numbers supported by a variety of biometric and demographic data. "We must ascertain whether there is a fundamental right to privacy in the Indian Constitution," Chief Justice of India JS Khehar said, referring to the Kharak Singh case, while supervising a challenge against Aadhaar. A nine-judge panel ruled in August 2017 that India's constitution guaranteed its inhabitants the right to privacy.
The proposed Personal Data Protection Bill of 2019 is the first and most notable piece of data protection legislation that was made possible by their verdict. The bill was shown to be both restrictive and expansive, nevertheless.
Both personal and non-personal data were covered by the statute, which was strict in requiring that private information not leave the nation's boundaries but also permissive in permitting the government to exclude itself for a number of reasons. In any case, in August 2022, the bill was withdrawn. The more impartial DPDP, which will eventually go into effect after the most recent proposed regulations are implemented, was modeled after it.
The New Traffic Laws
The DPDP guidelines are essentially industry standards: businesses must inform clients about the data they gather, encrypt it both in transit and at rest, remove it after three years of inactivity, and more. According to Rama Krishna Gudipati, head of customer success at CloudSEK, "Most notably, they grant substantial control to the data principal (individual) over their data, including the ability to determine when, how, where, and for what purpose their data is used." "Additionally, the introduction of penalties for non-compliance adds an important layer of accountability." For instance, corporations may lose up to INR 200 crore (about $23 million) if they violate their commitments over children's data or fail to alert customers of a breach.
However, some clauses—such as the ongoing exemptions granted to government agencies—are more contentious. According to Sequretek's Desai, "The exemption granted to the government from these rules raises questions about fairness and accountability, especially given the government's significant role as a service provider," according to Sequretek's.
"India's digital infrastructure is heavily influenced by government-led initiatives, unlike in the West, where private enterprises dominate," which means that the law has a greater impact than it would in other nations.
Feedback on the new draft rules must be sent by February 18th. "An adequate period would be provided so that all stakeholders, from small enterprises to large corporates, may transition smoothly to achieve compliance with the new law," MeitY said in a news release on January 5th, following the rules activation.
