In the PDPB 2018, a clear road map of implementation of the law had been provided. This had been removed in the PDPB 2019. However in the DPB 2021, the detailed implementation schedule has been suggested.
This may be made part of the notification.
The suggested implementation schedule (Recommendation 3) is as follows:
- The Chairperson and members of DPA to be appointed within 3 months.
- DPA commences its activities within 6 months
- Registration of Data Fiduciaries to commence in 9 months
- Adjudicators and Appellate Tribunal to be appointed within 12 months
- Complete act to be effective within 24 months.
It has been suggested that the Government shall be in consultation with the stakeholders during the time if implementation and also keep the legitimate interests of business in mind so that it does not detract too far from the Government’s stated objective of promoting ease of doing business in India.
It is to be noted that though the principal objective of the DPA 2021 is to provide protection of Privacy right of the Indian citizens, the objectives of the Bill as also stated in the Preamble reiterate that the Business also has a stake in this law and its interest cannot be ignored.
In comparison, GDPR is clearly pro-privacy in its implementation and some of the decisions of the supervisory authorities are blatantly anti-business. Such an approach is counter productive to development and the JPC has therefore taken a stand not to treat business as outcasts. While this will continue to be debated by privacy activists as anti-Puttaswamy judgement, it is essential for the Government to balance the needs of different stake holders and one manifestation of this is contained in the Recommendation 2 stating that the legitimate interests of business has to be kept in mind while fixing the time line of implementation.
Two years has been the general time given in many other laws including GDPR and though Government could have curtailed this to about an year given the delay that has already occurred, the JPC has stuck to the standard 24 month time line.
Hopefully industry would consider this reasonable.
Naavi
Other articles on DPA 2021
14. PDPA 2021: Concept of Discovery Consent
13. JPC Recommendations on SWIFT Alternative: Out of scope and Disruptive of Global Economic System
12. JPC recommendation on Children Data
11. JPC recommends DPA to watch on Incident Register
10. JPC comments beyond the Amendments-2: Implementation Schedule
9. JPC comments beyond the Amendments-1-Priority of law
8. Clarifications from the JPC Chairman on DPA 2021
7. Anonymisation is like Encryption with a destroyed decryption key
6. PDPA 2021: The data breach notification regarding Non Personal Data
5. PDPA 2021: The Data Protection Officer is now in an elevated professional status
4. PDPA 2021: The nature of Data as an Asset and nomination facility
3. PDPA 2021: Regulating the human perceptions
2. PDPA 2021: Definition of Harm to include psychological manipulation
1. PDPA 2021: Should Big Data and Data Analytics industry be worried?