While the DPDPA 2023 was gazetted on 11th August 2023, the notification of the date of its effectiveness has been awaited. Presently the draft rule is ready for public comments and the industry is eagerly waiting to know which provisions of the Act will become effective immediately and which will take time.
The current thinking in the Meity seems to be a two stage implementation with about 6 rules to be notified for effect immediately and the remaining around 14+ rules to be effective at some point of time later.
The six rules that may be notified for immediate effect could be
| Short Title and Commencement |
| Definitions |
| Appointment of Chairperson and other Members |
| Salary, allowances and other terms and conditions of service of Chairperson and other members |
| Proceedings of Board and authentication of its ordders, directions and instruments |
| Terms and conditions of appointment and service of officers and employees of Board |
The other rules to be notified on a later date are as follows:
| Notice to seek consent fo data principal |
| Notice to inform of processing done where data principal has given consent before commencement of Act |
| Registration, accountability and obligations of a Consent Manager |
| Processing of Personal data for provision of subsidy, benefit, service, certificate, license or permit |
| Intimation of personal data breach |
| Time period for specified purpose to be deemed as no longer being served |
| Publishing of contact information of person who is able to answer questions about processing |
| Verifiable Consent for processing personal data of child or person with disability who has lawful guardian |
| Exemptions from processing of personal data of child |
| Measures to be undertaken by Significant Data Fiduciary |
| Rights of Data Principal |
| Exemption from Act for Research, Archiving and Statistical purposes |
| Techno Legal measures to be adopted by Board |
| Appeal |
It is expected that the setting up of the DPB may take about 3 months and the remaining rules may come into effect subsequently.
There are a few more rules that are yet to be finalized and perhaps they may come up in the third set.
The exact time schedule for implementation is yet unclear and we may have to wait for the Government to complete the constitution of the DPB before a more specific time schedule can be expected.
Naavi
Pingback: DPDPA Rules: Collating the Industry Voice | FDPPI is your Privacy Companion