Ashwini Vaishnaw Exclusive: India doesn’t need European laws that stifle innovation, industry will have 2 years for full compliance

Minister for Electronics and IT, Ashwini Vaishnaw, in an exclusive conversation with CNBC TV18 on Saturday, January 4, 2025, said that the draft Digital Personal Data Protection (DPDP) Rules are a step towards balancing the obligations of the industry and the rights of the users. He assured that the stringent European laws, which have hurt the innovation ecosystem there, will not be adopted in India.

The draft DPDP rules were published late last night, over 16 months after Parliament passed the DPDP Act in August 2023. The draft rules are open for public comment until February 18, 2025. The industry had been clamoring for these rules to guide the preparation of systems for compliance with the DPDP Act.

On the delay, the Minister said that despite the 2024 Lok Sabha elections, the government has introduced a law and rules that provide a completely digital workflow.

Industry obligations and compliances

Regarding the obligations of the industry, the Minister assured that the compliance requirements are consistent with the Supreme Court’s privacy judgment. For clarity, he mentioned that the rules are written in simple language, supported by illustrations.

He also noted that the rules could not be overly prescriptive, allowing the law to keep pace with fast-changing technology. He further cited technology ministers from other countries, stating that the compliance burden imposed by European laws on their companies will not be seen in India.

On the issue of compliance, such as the Data Protection Officer prescribing “reasonable” security measures and norms for the storage and processing of data, which could impact smaller companies, Vaishnaw clarified that most of the requirements are already common industry practices. He assured that the government has worked closely with the industry to formulate these requirements and further stated that the industry will be given two years to fully comply with the law and rules.

Parental consent for children

On the matter of rules requiring companies to obtain parental consent for children, the Minister said that the draft rules provide a digital mechanism where existing digital infrastructure can be used for migration via digital tokens. He clarified that the industry has been widely consulted on this. He also noted that there is a significant risk of harm to children, and the government must take necessary precautions.

The rules also introduce a provision where the Centre can prescribe what types of data can be sent overseas. The Minister explained that this power, as outlined in the rules, is consistent with the DPDP Act. He further clarified that the rules address specific situations, such as the RBI’s directive for financial data to be stored on domestic servers.

Exemptions to government and related entities

Additionally, the rules provide an exemption from the Act for government and related entities. According to the rules, government entities providing subsidies, benefits, licenses, or permits are exempt. Vaishnaw emphasized that the law and rules apply to all entities collecting data. He further explained that if consent has been provided for one service, the recipient should not require consent again for another government service.