Data bill compliance timelines to be different for startups and big techs

This (licensing requirement for PC imports) is really about the import management system. It is about managing the type of imports bound for India, said MoS IT

The Digital Personal Data Protection Bill, 2023, passed the Rajya Sabha test on Wednesday and moved one step closer to becoming a law. Rajeev Chandrasekhar, Union Minister of State for Electronics and IT, in conversation with Sourabh Lele and Surajeet Das Gupta in New Delhi, discusses various aspects of the Bill, its compliance timeline, and the Centre’s decision to impose an import licence on laptops and notebooks. Edited excerpts:

When do you expect the compliance requirements to come into effect? Will there be a transition period?
 

There are twin calls here. One, I don’t want Indian citizens to be exposed. On the other hand, we need to give reasonable time to platforms for transition. If you ask platforms, they will say give us two years, similar to the GDPR (the European Union’s General Data Protection Regulation). I think we will give different timelines for the transition to different types of platforms. The smaller ones may take a little longer. Big Tech companies certainly don’t need a long transition timeline. Maybe some government entities can take slightly longer because they have to modernise. We may look at different types of transition. But we certainly don’t want to give long periods to big data guzzlers. The conversation around data protection has been going on for six years and everybody knows what  they have to do.

According to the Bill, processing of children's data needs parental consent, but some platforms may get an exemption from the government in this connection. Which category of platforms will get this relaxation?

We have said if there are platforms that are extraordinarily focused on making child-safe zones on the internet -- for example, by doing an e-KYC of everybody who’s on the platform and verifying each person’s identity, and whether the app is trusted for children -- they may apply to the government. The government may consider lowering the bar for that platform alone.

None of the social media platforms will qualify for it because they don't do any KYC, they don't know who’s using their apps, and there is anonymous use abound. For example, an ed-tech platform that takes a great deal of care about who is on it, does e-KYC for everybody on it, and has verifiably only children users on it, can apply for lowering (the age) threshold to, say, 16 years and we may consider.

Surprisingly, the final Bill gave power to the central government to block platforms. What led to this?

The idea behind huge punitive penalties is meant to dissuade platforms from conducting themselves badly or poorly, or violating the rights of the Indian citizen. 

The reason we introduced that (giving the government blocking powers) is for events when a platform says ‘I don’t mind giving the penalty and benefits that I get from misusing data is much more’. It may game the system. 

The Bill was passed within 20 minutes in the Lok Sabha despite the addition of new provisions after public consultations. Why was there no consultation on the final draft?

The government can have consultations even for the next one year or so. But there is a certain urgency. In 2017, privacy became a fundamental right. Then we spent two and a half years in the Covid pandemic. We repealed that Bill, because it was certainly a very complex Bill.

For every expert (insisting on consultation), there are hundreds and crores of citizens who say our data should be protected. Don't forget this argument is not between experts and the government. There is a silent majority of 1.2 billion Indians who by 2025-26 are going to be online and whose rights also we have to protect.
 

There was also a pivot from the whitelisting approach to blacklisting of countries for cross-border data sharing. Why?

The principle is the same that we want foreign jurisdictions to be open and available to our innovation economy for processing data. We want to permit only those jurisdictions where the rights of Indian citizens apply. Now, we are saying that data fiduciaries are responsible for protecting data and therefore are liable under the law to choose a trusted geography. If there is a breach happening in that country, we can ban it after consideration. 

Will this Bill increase the cost of compliance?

No. This is the absolute minimum requirement. What we are defining today is a basic principle that no platform can use/misuse/exploit the personal data of any Indian citizen without consent.

Industry was surprised after the government announced IT hardware import restrictions. What led to this action?

There’s a misunderstanding. Maybe we are to blame. We poorly communicated what was the intent of this (licensing mandate). The intent was not to create any disruption in the supply chain or IT hardware in our digital economy. The idea here is that we are at that stage of our digitisation where there’s a lot of headroom for growth and penetration of digital products. We want to ensure that trusted hardware is coming into our systems. We don’t want to wake up late like the rest of the world.

Second, we certainly want domestic manufacturing in the near to medium term to start contributing to the overall demand of the Indian ecosystem. So, this is really about the import management system. It is about managing the type of imports bound for India.

What did industry stakeholders say during your meeting with them about the import policy?

I sat with industry (stakeholders) yesterday (Tuesday) and I calmed them down, especially since there are seven or eight companies contributing about 90-94 per cent of the ecosystem -- the Dells and the Apples of the world. I spoke with all of them and they have understood what the government’s intention is. So far, our growth in electronics has been because of a partnership between the Government of India and industry; the smartphone success has been because of that model. We certainly don’t want to change that. And we certainly don’t intend to change that. The perception that you’re using a hammer to, which in some sense, incentivises domestic production is unfortunate. That perception is far from the truth.