India’s new data protection law to take effect soon, Minister

Days after India got a personal data protection law, Union Electronics and Information Technology Minister Ashwini Vaishnaw said the rule-making process required for the law will not be delayed by the 2024 general elections.

Speaking at an event in Bengaluru, Vaishnaw said that like the law, the rules will be “very simple, very straightforward, very easy to implement,” adding that the process to form the rules has started.

He said that three things have to be in place for the process to be implemented in full: the rules, design architecture for implementing the law, and the data protection board.

“We are working on all three activities in parallel. There won’t be any delay because of the elections because the process was already initiated well before the law was enacted. The consultation process was followed in the enactment of the bill…. we will follow the consultative process for rule-making,” he said.

Law specifics
The DPDP law in its current form offers a legislative framework, but the process of rule-making will be responsible for defining its specific parameters. For example, the existing law stipulates that the government will identify a list of countries to which data transfers are prohibited. The rule-making processes will establish the criteria upon which a country can be designated for inclusion in this data transfer restriction list.

However, while the rule-making process will also be consultative, it’s not likely that it will be as exhaustive. He added that the laws are formed within the boundaries of the Constitution, and rules will be set by the boundaries of the law.

“The consultation process required for rulemaking is lesser compared to the law. Because now the law is there, within those boundaries, the details have to be filled in by rules. It will be a consultative process,” Vaishnaw said.

The law has also steered clear of regulating Artificial Intelligence. When asked if the upcoming Digital India Bill have any provisions to prevent non-consensual use of a person’s public data to train AI models, the minister said that the DPDP Act is horizontal, and applies to every sector.

“It applies to practically every sector that we have in the country where citizens’ personal data is used, processed. So, the horizontal axis is placed. Now, the vertical sectoral regulations will give the requirement for that particular sector. Horizontal has to be technology agnostic,” he said, adding that the law must not be constrained to deal with new technologies. Moneycontrol