In an exclusive interview with CNBC-TV18’s Ashmit Kumar on January 4, 2025, Minister for Electronics and IT, Ashwini Vaishnaw, sheds light on the much-anticipated draft Digital Personal Data Protection (DPDP) rules. Addressing industry concerns, Vaishnaw discusses the balancing act between innovation and regulation, the role of digital infrastructure, and key compliance obligations. The minister also emphasises the importance of safeguarding citizens’ privacy while ensuring the growth of India’s digital economy.
Q: An important decision has been taken, a decision that the industry had been waiting for, looking for clarity on. There has been some back and forth, and it has taken about 16 months to be specific. Why the wait, and where do we stand now with the publication of the draft rules?
Vaishnaw: When this law was presented to Parliament in November 2023, we had very clearly promised that it would be implemented digitally. It would be completely digital by design.
In the last year or so, despite the general elections, we have worked meticulously to create a completely digital portal, digital workflow, and digital processes, so that when we finally start implementing this law, the entire Data Protection Board (DPB) will be fully digital by design.
Second, this is a very pragmatic approach toward data protection. We have made sure that the balance between innovation and regulation is maintained — India has a huge innovation economy and a large startup ecosystem, and we need to make sure that citizens’ rights are protected with full fervour and confidence. That is why we have created this structure where innovation and regulation are properly balanced.
Q: You talked about balancing rights as well as obligations and about a completely digital framework. I think the DPB will be the first board to operate virtually, with the chairperson and members connecting remotely. What does this mean for the obligations of data fiduciaries or companies collecting data? What obligations are they now looking at?
Vaishnaw: The obligations of the data fiduciaries are very well established as per the principles set out in the Supreme Court’s judgement regarding consent and purpose; all those obligations are properly set in the law and the rules basically implement those.
Like the law, the rules are also very simple in language. Very clear examples and illustrations are given everywhere. We have made sure that we have not made everything very prescriptive because digital technology doesn’t stand; it evolves every week and so the law should be able to catch up with those developments. That is why we have said the principles in the law and the rules and the actual practice—whether to go to left or right or how many steps to take—all that thing is part of the execution and that is a very good framework that we have set.
We understand from whatever we have heard from our international counterparts and all that the compliance burden that happened in Europe and which killed the entire innovation ecosystem, which kind of damaged the innovation ecosystem in a very big way, that will not happen. Our innovation ecosystem will continue to grow with a proper legal framework.
Q: You referred to the compliance burden. We are looking at a situation where a company is required to have a data protection officer. There are reasonable security requirements that they are required to deploy. There are requirements for storage and then processing of data. What does this do in terms of compliance, especially for some of the smaller entities in the startup innovation ecosystem that are collecting data?
Vaishnaw: Most of these things are today’s standard practice in the industry. For example, all the compliances, all the obligations that we have set and our interaction with the industry indicate that people are fully prepared for implementing this. And we have given enough time and we have interacted very closely with the industry in a very collaborative manner. There shouldn’t be any disruption because of this law.
We have made sure that people are prepared, they come up to this level and despite that, we will be giving a very reasonable time frame for people to give the final compliance.
Q: One obligation that has garnered significant attention is parental consent. Can you give us some guidance on how this will operate? For example, if a child wants to buy a birthday present for their parent on an e-commerce website, how does the interaction take place from both an obligation and rights perspective?
Vaishnaw: Today we have a very strong digital architecture in our country. For example, for a child who has already enrolled in a school, a lot of digital data is already available there. If there is a bank account or any payment mechanism that a child is using, already there is a digital footprint available.
We have created a mechanism using virtual tokens, and using the existing digital architecture, we should be able to have a seamless shift towards a digital compliance method in which nobody should be required to go and say this is my date of birth, etc. All that stuff has been very well thought through and the industry has been consulted. The industry is on board with this.
They believe that this structure that we have created here, where we use the existing digital architecture and provide a verifiable parental consent framework using the existing digital architecture, will work very well. And that’s very important also because, in today’s world, there is a big possibility of harm coming to children because of the exposure to a variety of platforms.
The benefits must continue to accrue while the harms can be prevented.
Q: One new aspect introduced in the rules is data localisation. There is now a provision allowing the government to prescribe what types of data can be sent overseas.
Vaishanw: There is no difference between the act and the rules. The act itself in Section 16 very clearly said that wherever required—we studied the best practices in the world—and we said wherever data is getting transferred to a trusted geography where the other side is also taking the same precautions and the same safeguards that we would have taken. And then we said that if there is a particular sector, that sector requires data localisation.
For example, even today, the Reserve Bank of India requires that the payment data be localised. We maintain that structure, which is a very flexible structure, and to prevent any sudden disruption by any particular sectoral regulator, we have created a committee mechanism so that there is proper consultation before any sector wants to impose a set of restrictions.
Q: So, essentially, there’s a window for sector-specific regulators to prescribe data localisation requirements, like in the RBI example?
Vaishnaw: Correct. That provision is already in Section 16. It’s a very pragmatic way of looking at things, rather than applying a one-size-fits-all approach. This flexibility is crucial.
Q: You mentioned that the DPB will operate entirely digitally. This includes the chairperson and members conducting meetings virtually. What does this translate into for the functioning of the DPB? How will it work? And is there an appellate tribunal framework where the DPB’s orders can be appealed?
Vaishnaw: There’s a very clear framework prescribed on multiple levels so that the citizens’ rights can be implemented without going through a very cumbersome legal process. It will be a new way of working. We have had examples of digital implementation. Various things in the last 10 years, the Prime Minister has implemented digital India as part of every sector.
Learning from all that has been implemented so far, this new digital by design from the beginning, everything being digital, right from lodging a complaint to getting a hearing to making sure that the data fiduciaries get their response to the final order, then the appeal mechanism, everything is digital by design. And it’s very well thought through. There’s also a provision for voluntary undertakings. This means if somebody understands that it has caused a problem and has violated the provisions of the law, that person or that firm or that company, can go to the data protection board and say that we made this mistake. Then it can be treated differently. All those things are very well thought through.
Q: One final question on government entities collecting data. There are exemptions provided for government services, subsidies, benefits, and licences or permits. Doesn’t this cover a large portion of the government’s functions?
Vaishnaw: The government is equally obligated to protect citizens’ privacy. Most of the provisions of this Act apply to every data fiduciary, including government entities.
For example, if a person has already provided data for one service, it makes sense that they shouldn’t have to repeat the same process for another service. This is part of the ease of living, which is at the core of this approach. So, when a government department wants to use data that has already been provided for one service, the citizen can choose to access other services without being required to provide consent again.
Q: What does the transition window look like for compliance? You mentioned there would be a generous time frame.
Vaishnaw: About two years, but most of the industry is already prepared for it.
