In this blog post, we present our policy brief on implementing India’s Personal Data Protection Bill (hereafter the Bill). The policy brief is accessible here.
The Central Government and the future Data Protection Authority (DPA) will face the complex task of notifying several rules and regulations in order to bring the Bill into full effect. In the absence of such rules and regulations, even if the Bill is enacted it could have limited impact and effect. The Central Government and the DPA will have to work together to systematically release regulation to bring to life the provisions of the Bill. A systematic approach could prevent the ad-hoc passage of rules which could create severe disruptions in the data economy and gaps in consumer protection.
In this policy brief, we set out the actions required from the Central Government and the future DPA following enactment of the Bill. These actions, summarised in the figure below, are sequenced in order of priority based on our analysis of the interlinkages of sections within the Bill and the practical requirements of any data protection regime. The sequencing is aimed at ensuring that the main elements of the law come into effect without compromising consumer protection and inducing business uncertainty. This initial blueprint aims to drive forward the conversation on effective implementation, capacity and enforcement for India’s future data protection regime taking into account our unique context.
Figure: Blueprint for issuing subordinate legislation by the Central Government & the DPA in India
The full policy brief is available here.