India May Postpone Enforcement of New Data Protection LawSmall Businesses, Hospitals May Get More Time to Comply With Legislation
Indian government officials say they may delay enforcement of the new Digital Personal Data Protection Act to give small businesses and healthcare organizations more time to comply with the new regulations.
Minister of State for Electronics and IT Rajeev Chandrasekhar said a decision on the deadline will come sometime after the government sets compliance rules and appoints a Data Protection Board in the next 30 days.
The board will first investigate data protection failures and consider the impact of the regulations on behalf of micro-, small and medium-sized enterprises and hospitals that are not ready to comply.
"The goal is to create a culture of trust - a behavioral change among all who deal with personal data - and create the change required to make them do it responsibly and in alignment with the trust that the data principle has agreed to," Chandrasekhar said. "This is a deterrent act. It is supposed to create good behavior."
India's first-of-its-kind data privacy law, enacted in August, provides for a maximum fine of up to $30 million for privacy violations. It also eases data localization requirements, restricting localization to payment data and allowing the free flow of personal data between certain regions.
The act also gives the independent Data Protection Board the power to adjudicate privacy disputes. Individuals can appeal the board's decision to the Telecom Disputes Settlement and Appellate Tribunal and ultimately the Supreme Court of India.
Chandrasekhar said businesses and institutions must give valid reasons for an extension on compliance.
"Companies that already follow similar rules like that of the GDPR shouldn't ask for a very long time to follow these new rules. We are now in the phase of implementing these rules, and it should happen smoothly and quickly," he added.
To support the effort, the Ministry of Electronics and Information Technology is spending $85 million on a nationwide information security education and awareness program aimed at schools, colleges, and public and private sector organizations.