Amendments to DPDP Act Priority for India’s Modi Government if it Wins Third Term

Posted by Written by Archana Rao Reading Time: 4 minutes

As the world’s largest electoral exercise unfolds in India, the incumbent Bharatiya Janata Party-led government has announced that a priority for the incoming government would be to make amendments to the Digital Personal Data Protection Act. Additionally, the government will establish rules on important digital domain issues such as artificial intelligence (AI)-led misinformation and deepfakes.

Implementing rules for the Digital Personal Data Protection Act (DPDPA) and amendments to the IT rules can be expected within the initial 100 days of the formation of a new government at the federal level. The DPDPA rules, which have been delayed for several months, will reinforce the existing data privacy law, while amendment to the IT rules will address crucial issues like artificial intelligence-driven misinformation and deepfakes until a comprehensive Digital India Act is formulated.

As per media reports, India’s Prime Minister Narendra Modi asked union ministers to devise action plans for the first 100 days should the ruling party return to power during a recent Cabinet meeting. Following these instructions, the Ministry of Electronics and Information Technology (MeitY) has developed an action plan for key sectors under its jurisdiction.

READ: India’s Digital Personal Data Protection Act, 2023: Data Privacy Compliance

Anticipation amidst delay

In January 2024, Rajeev Chandrasekhar, the Union Minister of State for Electronics and IT, stated that the guidelines pertaining to the DPDP Act should be released before the end of the month. 

The Digital Personal Data Protection Act, implemented in 2023, refers to the legislative and regulatory measures implemented to protect people’s privacy and security of their personal data in the digital sphere in India. The Act attempts to create thorough rules and standards for the gathering, processing, storing, and sharing of personal data by organizations and entities operating within India.

The DPDP Bill was first introduced in 2022, and in August 2023, it was revised and passed by both houses of the Indian parliament. As of now, the provisions of the DPDP Act have not been brought into force. The Act is expected to come into force in July 2024 through a government notification. 

However, even after a month-long consultation process, no announcements were made pertaining to these regulations due to the general elections.

Find Business Support
De-Risk Your Business with Multi-Disciplinary Review and Legal Advisory

Once notification of the enactment of the implementing rules gets issued, there will be a 45-day consultation period, followed by the establishment of the Data Protection Board (DPB).

There has been concern among various industry stakeholders regarding the delay in rule notification, as platforms will need time to adjust their products and services to comply with the requirements. For quite some time, large IT companies and affiliated businesses have been asking for a two-year transition period to comply with the DPDPA.

India hopes to implement the regulation within a period of 12 months. On the other hand, if a business asked for more time to comply with the legislation, they would need to provide a detailed explanation.

Oversight concerning misinformation, deepfakes to be strengthened 

An amendment to the IT Rules, 2020, is in the works to address emerging issues related to AI, particularly deepfakes, until the Digital India Act is finalized. The Act, intended to replace the Information Technology Act, will focus on cybersecurity, AI, privacy, and other pertinent areas.

Meanwhile, the DPDP Act, which is defined as “any data about an individual who is identifiable by or in relation to such data,” establishes national guidelines for the management of all forms of personal data. This includes private information like a person’s name, phone number, and Aadhaar (national ID).

The increasing sophistication of AI systems has triggered a range of concerns including manipulation of media. For example, the production of hyper-realistic videos of celebrities that the general public may mistake for real.

Understanding deepfake technology, a generative AI application, necessitates legislative intervention. The DPDPA has applicable rules that can prevent data breaches and limit the availability of “raw material” needed to create deepfakes.

Keeping India’s data protection rules at par with international standards

The proposal for the DPB drew inspiration from similar governmental bodies in various EU nations, which operate independently of government and enforce the General Data Protection Regulation (GDPR). Both the DPDP Act and the EU’s GDPR signify a global trend towards safeguarding sensitive data.

Data requests: Both the DPDP Act and GDPR provide individuals (referred to as data principals) with rights such as the ability to request access to their data, rectify inaccuracies, and request deletion of unnecessary data through data requests (often abbreviated as DSR or DSAR). Both legislation also outline substantial fines for breaches of these rights.

Personal data protection: Both the DPDP Act and GDPR mandate the protection of personal data, although they may define the types of data they protect somewhat differently.

Breach notification: Both the DPDP Act and GDPR necessitate the notification of individuals and authorities in the event of a data breach affecting personal data.

Non-technical requirements: Both the DPDP Act and GDPR include certain non-technical requirements. For instance, they both stipulate that certain companies processing a significant number of residents’ personal data appoint a data protection officer residing within their jurisdictions. However, under the DPDP Act, this requirement only applies to companies notified of their status as “significant data fiduciaries.”.

In addition to formulating regulations, the proposed DPB will be tasked with establishing codes of conduct for businesses, investigating cases of non-compliance, gathering supervisory information, and imposing penalties on non-compliant businesses.

Summary

The Narendra Modi-led NDA government is aiming to form a government at the federal level for the third consecutive term. Enacting amendments to the DPDP Act and updating IT rules are top policy priorities for the first 100 days of the new government’s formation. These revisions, focusing on areas like artificial intelligence (AI)-led misinformation and deepfakes, reflect a broader effort to enhance data security and privacy in India, especially as it’s digital economy continues to rapidly expand. Concerns, however, persist within the industry regarding compliance timelines, emphasizing the need for a smooth transition.

After months of lobbying by a number of industry executives, the drafting process has reportedly been finalized, and the guidelines should be published in July. Since the MeitY must provide precise instructions that the data fiduciaries or industry stakeholders must abide by in order to execute this data protection and privacy regulation, the law is not currently in effect. The sector anticipates that the MeitY’s guidelines and norms will specify in great detail how the law is to be implemented.

About Us

India Briefing is one of five regional publications under the Asia Briefing brand. It is supported by Dezan Shira & Associates, a pan-Asia, multi-disciplinary professional services firm that assists foreign investors throughout Asia, including through offices in Delhi, Mumbai, and Bengaluru in India. Readers may write to india@dezshira.com for support on doing business in India. For a complimentary subscription to India Briefing’s content products, please click here.

Dezan Shira & Associates also maintains offices or has alliance partners assisting foreign investors in China, Hong Kong SAR, Dubai (UAE), Indonesia, Singapore, Vietnam, Philippines, Malaysia, Thailand, Bangladesh, Italy, Germany, the United States, and Australia.