Government Delays Data Protection Rules to Accommodate Public Institutions
New Delhi - The Indian government's delay in finalizing the draft rules for the Digital Personal Data Protection Act, 2023, stems from internal deliberations on the readiness of its own institutions like schools, colleges, and hospitals to comply with the new law, The Indian Express has learned.
The Act, which was passed last August, awaits operationalization as the necessary subordinate legislation, involving at least 25 rules, remains pending. This has resulted in the law not coming into effect even a year after receiving presidential assent.
A senior government official, speaking on condition of anonymity, highlighted the challenges faced by public institutions, particularly in remote areas where technology is rudimentary. "These institutions handle significant amounts of personal data daily, and we need to ensure they are adequately accommodated in the rules," the official explained.
Despite an exemption clause for government entities, this is unlikely to apply to educational and health institutions. The IT Ministry, responsible for these regulations, has not responded to requests for comment.
Further complicating the framing of rules is the issue of consent for handling children's data. Originally, the law mandated parental or guardian consent for processing data of individuals under 18. However, the government found it challenging to enforce a uniform mechanism for obtaining such consent, leading to a decision to allow companies discretion in how they manage this requirement.
The law has faced criticism from various quarters including civil society, the Opposition, and even the NITI Aayog, which has flagged concerns over potential dilution of the Right to Information Act. A contentious aspect is the broad exemptions granted to government agencies under Section 17 (2) (a), which allows for the processing of personal data in the interest of national security and public order, among other reasons.
Companies are required to collect personal data through consent-based mechanisms, with provisions for "legitimate uses" offering some flexibility. Non-compliance, particularly in safeguarding data against breaches, could attract penalties up to Rs 250 crore.
The ongoing delays and adjustments in the rule-making process underscore the complexities involved in aligning data protection laws with the operational capabilities of diverse public sector institutions, while also addressing privacy concerns in the digital age.