There are two rumours/news-plants that are running in the media about DPDPA Rules. They are
a) Government may accelerate the time line for implementation from 18 months to 12 months in some respects.
b) TCS is likely to apply for Consent Manager license.
Let us briefly review these two issues.
It would be welcome if the Government goes for a faster implementation time line particularly for the large companies who are already compliant with global laws and are capable of implementing the law within the next 6-9 months. Given the fact that DPB is yet to be formed, a period of 1 year seems reasonable.
It is possible that for SMEs the implementation can be kept at the present level of 18 months so that they will have the benefit of observing the implementation challenges as resolved by the large entities before the smaller entities can jump in with lesser resources for software selection and implementation. This could even be part of the promise in the budget today.
Second aspect is the TCS applying for being a Consent Manager. While it appears logical that a conglomerate like TCS would consider it attractive to have an in-house consent manager for its group entities, the “Conflict” situation could be very tough to handle.
Secondly we are aware that TCS has the record of entering the business of Certifying Authorities and later exiting. This is not a good track record to boast for a business like Consent Manager and the group may have to disclose the reasons for their surrendering the Certifying Authority license since similar possibilities may also exist in TCS surrendering the Consent Manager license in the future.
Now that the Government is considering revision of some of the rules, I suggest some changes to the consent manager rules.
The Current Consent Manager rules under Rule 4 suggest that data can be transferred from one data fiduciary to another at the instance of the consent manager. This amounts to “Data Portability” which the parent law has omitted as a “Right of the Data Principal”. The rule therefore is “Ultra-Vires” the law at least in legislative intent.
Secondly, we have pointed out that if the Consent Manager does not have “Visibility” to the data, the rigorous conflict related conditions appear to be an overkill. It can be modified if the Government comes out of its blinkers that Consent Manager is like an Aggregator in the DEPA framework.
Yesterday, I was discussing with the “Spastic Society of Karnataka” on the possibility of such NGOs to become specialist Consent Managers for “Disabled Data Principals”. These institutions know who is entitled to be in this category, what they need from the Internet and what is the law of guardianship for such persons better than any other commercial organizations. It therefore appears that such organizations should be allowed to be “Consent Managers” for some niche category of data principals. However such organizations may not be able to fulfill say the Capital requirement nor they may be “Companies incorporated in India”.
Hence we suggest that the Government should consider providing exemptions from some conditions of the Rules under Rule number 4 to enable such genuine NGOs to be the consent managers for their niche areas of operation.
Hope the MeitY considers these suggestions when they think of making some changes to the November 13 rules for which they have had a closed door meeting with the privileged Tech Giants.
Naavi
