Context:
The Ministry of Electronics and Information Technology (MeitY) is considering reducing the compliance timeline for major technology firms under the Digital Personal Data Protection (DPDP) Act, 2023 from 18 months to 12 months, signaling a differentiated regulatory approach for large digital platforms.
Key Highlights:
Proposed Regulatory Changes
- Compliance timeline for Big Tech firms (Meta, Google, Amazon, etc.) may be reduced to 12 months.
• Separate compliance regime proposed for large companies vs startups.
• Fast-tracking provisions related to ‘Significant Data Fiduciaries’ (SDFs).
Significant Data Fiduciaries (SDFs)
- Identified based on:
- Volume & sensitivity of personal data processed
- Risk to sovereignty, integrity, electoral democracy, security, public order
• Mandatory Data Protection Impact Assessments (DPIA).
• Ensuring algorithmic systems do not violate user rights.
Data Localization & Cross-Border Transfers
- Committee likely to define categories of personal data requiring localization.
• Restrictions on transfer of specific personal and traffic data outside India.
Data Breach & Penalties
- Mandatory prompt intimation to affected individuals detailing:
- Nature and extent of breach
- Consequences
- Mitigation measures
• Penalties up to ₹250 crore for failure to safeguard data.
Concerns & Criticism
- Broad exemptions granted to government agencies on grounds of national security.
• Concerns about potential dilution of RTI Act transparency principles.
• Industry apprehension regarding compliance costs and regulatory unpredictability.
Relevant Prelims Points:
- DPDP Act, 2023 governs processing of digital personal data in India.
• Data Fiduciary – Entity deciding purpose and means of processing personal data.
• Data Principal – Individual to whom personal data relates.
• Significant Data Fiduciary – Notified by government based on risk & scale.
• Maximum penalty under DPDP Act: ₹250 crore per instance (depending on violation).
• Data Protection Board of India – Adjudicatory body under the Act.
Relevant Mains Points:
- Polity & Governance (GS 2)
• Balancing privacy (Article 21 – Puttaswamy Judgment) with state interests.
• Need for regulatory certainty and proportionality.
• Debate over government exemptions and accountability. - Science & Technology (GS 3)
• Regulation of AI algorithms and automated decision-making.
• Data localization and digital sovereignty. - Economy & Digital Ecosystem
• Compliance burden on startups vs Big Tech.
• Impact on India’s digital economy and foreign investment.
• Alignment with global standards like GDPR.
Way Forward
- Ensure clear, transparent rules for classification of SDFs.
• Balance innovation with strong data protection safeguards.
• Harmonize DPDP implementation with global digital trade norms.
• Strengthen institutional independence of Data Protection Board.
UPSC Relevance:
GS 2 – Polity (Right to Privacy, Governance, RTI)
GS 3 – Science & Technology (Data Governance, AI Regulation)