HEALTH

Government Delays Data Protection Rules Amid Compliance Concerns

In Desk

Nov 11, 2024 • 1 min read

New Delhi - The implementation of the Digital Personal Data Protection Act, 2023, enacted last August, continues to face delays as the government grapples with internal readiness and compliance issues, The Indian Express has learned.

The Act, which requires at least 25 subordinate rules to become fully operational, has not yet been enforced more than a year after receiving presidential assent. Central to the delay are concerns over the readiness of government-controlled institutions like schools, colleges, and hospitals to comply with the new regulations.

"Many of these public institutions, especially those in remote areas, operate with basic technology but handle significant amounts of personal data daily," a senior government official told The Indian Express, speaking on condition of anonymity. The official highlighted that careful considerations are being made to accommodate these institutions under the new legal framework.

Despite an exemption clause for government and its agencies within the Act, it's unlikely that this would apply to educational and healthcare facilities, adding complexity to the rule-making process.

The IT Ministry has remained silent on the matter, not responding to requests for comments. Another significant issue has been the requirement for entities dealing with children's data to seek parental consent, which has proven challenging to implement technologically.

In response, the IT Ministry is now expected to allow companies discretion on how they obtain such consents, moving away from a prescribed mechanism.

The Act has faced criticism from civil society and opposition parties. Notably, Niti Aayog has critiqued provisions that could potentially weaken the Right to Information Act. Critics also point to the broad exemptions the law grants to state instrumentalities, as outlined in Section 17 (2) (a), which allows for exemptions in the interest of national security and public order.

The law mandates a consent-based mechanism for data collection by companies, with penalties for breaches reaching up to Rs 250 crore for inadequate safeguards against data breaches.

As the government navigates these complex issues, the finalization of the data protection rules remains pending, reflecting the intricate balance between technological readiness, privacy rights, and public interest.

Sign up for more like this.