The Ministry of Electronics and Information Technology (MeitY) in its recent workshop held on October 14 informed the stakeholders that the government will not be exempted from obligations for Data Fiduciary under Digital Personal Data Protection Act, 2023. The government will be equally subjected to penalties in case of a data breach.
The inaugural workshop was attended by around 100 stakeholders on the government’s invitation at the India Habitat Centre in New Delhi. Senior officials from MeitY were present during the workshop. The MeitY officials also informed that the government is conducting training for its subsidiaries for data protection and streamlining compliance mechanism.
Under the Digital Personal Data Protection Act, 2023 (DPDP Act), data fiduciaries, i.e., entities determining the purposes and means of processing personal data (either alone or in conjunction with other persons), are largely responsible and liable for compliances. Data Fiduciary’s primary role is to put in place SOPs and organizational and technical measures to ensure data safety.
A stakeholder on condition of anonymity said, “Government is one of the largest entity which collects and stores personal data of citizens in the country. The Meity officials were clear that the government agencies are not exempted from the DPDP Act. Infact, the government is training its subsidiaries such as NIC, NICSI, CDAC among others to streamline their compliance mechanism for DPDP Act.”
The government has also informed the stakeholders that the rules will have incremental changes to and the companies must be compliant to the DPDP Act.
Another stakeholder told Storyboard18 that “The government has said that the companies must have technical and organizational measures in place and not wait for clarity to be outlined in the rules which will be out soon for consultation.”
Transfer of Data offshore
Dr. Aruna Sharma, Policy Advisor and Practitioner Development Economist “The stakeholders have clearly stated that while the government insists on local storage of data, there is a need to allow aggregated data to be processed offshore for analytics.”
Sharma said, “Currently, multiple agencies are permitted to access personal data, a practice that stakeholders have objected to. They argue that only one agency, following a strict regime, should have access to personal or any data without prior consent.”
E-commerce and fintech companies are urging the government to allow aggregated data to be processed offshore for analytics, as it plays a crucial role in expanding exports. She added.
Sources have said that the government will notify stakeholders on aggregated data being taken offshore. The government will share the list of countries which are banned from storing data of Indian citizens.