The Ministry of Electronics and IT (MeitY) may reduce the compliance timeline for Big Tech companies like Meta, Google, and Amazon to 12 months from the current 18 months under the Digital Personal Data Protection Act, 2023.
This change aims to create separate compliance regimes for large companies and startups, potentially leading to pushback from tech companies.
Provisions for 'significant data fiduciaries' may be fast-tracked, requiring them to conduct data protection impact assessments and ensure algorithmic software doesn't violate user rights.
The government may soon form a committee to specify the types of personal data that must be localized within India.
Detailed Insights:
The proposed changes acknowledge that larger companies already comply with stringent privacy laws like Europe’s General Data Protection Regulation (GDPR), giving them greater capacity to adhere to India's law.
Significant data fiduciaries will be determined based on the volume and sensitivity of personal data processed, and potential risks to India's sovereignty, integrity, electoral democracy, security, and public order.
These companies may face restrictions on transferring specific personal and traffic data outside India, with the government defining the types of data subject to localization.
In case of data breaches, data fiduciaries must promptly inform affected individuals about the breach's nature, extent, consequences, and mitigation measures.
Failure to maintain adequate data breach safeguards could result in penalties up to Rs 250 crore.
The DPDP Act has faced criticism for granting broad exemptions to the government in processing personal data based on reasons like 'national security' and for potentially weakening the RTI Act.
Key Concepts Involved:
Data Fiduciary: An entity that determines the purpose and means of processing personal data.
Data Principal: The individual to whom the personal data relates.
Data Protection Impact Assessment: A process to identify and minimize data protection risks.