With internet companies sweating out the details of India’s Personal Data Protection Bill (PDP), which is very likely to be passed in Parliament soon, the government could allow a compliance window of up to two years.
While, the government is yet to decide on the exact timeline for the implementation of the PDP bill, it could give companies up to two years to become fully compliant with the law, since many of its clauses cannot be implemented immediately, according to a news report.
Further, Justice BN Srikrishna, who led the commission that created the draft of the bill, told ET that if the bill is passed, internet companies will have to register and incorporate in India within six months. He added that companies could get up to 18 months to revamp their operations according to the provisions of the law, which includes mechanisms to respond to government and law enforcement agency requests within 24 to 72 hours, data localisation norms, and other stipulations that would need time to be activated.
Another member of the bill’s drafting committee and former telecom and IT secretary, Aruna Sundararajan also said companies would be given time to implement the law.
The Indian union cabinet approved the Personal Data Protection Bill on December 4, which is meant to ensure the protection of personal data and other sensitive information of Indian citizens. The Bill will be introduced in the Parliament during the current winter session.
Similar to the compliance window provided by European Union’s General Data Protection Regulation (GDPR), many international companies which have users in India will have to incorporate a local business to handle India operations. However, major tech companies and Indian IT giants such as Infosys, Wipro and others may not have to put too much effort to upgrade their systems to comply with PDP since the law is very similar to EU’s GDPR.
Last week, US treasury secretary Steven Mnuchin urged India to ensure that its data localisation plan does not have an impact on other countries and further requested the country to treat US-based companies fairly even as they are complying with the local law.
The Personal Data Protection Bill was introduced in draft form 2018 by the Srikrishna Committee. It defines personal data as any data of a natural person which allows direct or indirect identifiability. Sensitive personal data includes financial data, biometric data, positive additions such as religious and political beliefs, caste, intersex/transgender status, and official government identifiers like PAN etc.