Relevance: GS II (Polity – Govt Policies) & GS III (Internal Security – Cyber Security) | Source: MeitY / Indian Express
1. The Context: Tighter Deadlines
The Ministry of Electronics and IT (MeitY) is shifting gears on data privacy. The government plans to shorten the compliance timeline for “Significant Data Fiduciaries” (SDFs)—giants like Meta, Google, and Amazon—to fully adopt the Digital Personal Data Protection (DPDP) Act, 2023.
- The Change: The window is likely to be cut from the proposed 18 months to 12 months.
- The Logic: Since these global tech giants already comply with the strict GDPR in Europe, they have the technical “bandwidth” to adapt to India’s laws faster than smaller Indian startups.
2. Who is a “Significant Data Fiduciary” (SDF)?
Not all companies are treated equally under the Act. The Central Government can classify certain entities as SDFs based on:
- Volume: The sheer amount of personal data they process.
- Risk: Potential impact on India’s sovereignty, electoral democracy, or public order.
- Extra Duties: Unlike regular businesses, SDFs must:
- Appoint a resident Data Protection Officer (DPO).
- Hire an Independent Data Auditor.
- Conduct periodic Data Protection Impact Assessments (DPIA) to check for risks like algorithmic bias.
3. The “GDPR” Argument
- Government View: If Google can protect data in Germany (under GDPR), it can do it in India without a long delay.
- Industry View: While principles are similar, technical requirements differ. For example, India’s Act demands a “verifiable parental consent” mechanism for children’s data, for which no global technological standard currently exists.
UPSC Value Box
Concept / Term | Relevance for Prelims |
| Data Principal | The individual to whom the personal data relates (i.e., You, the citizen). |
| Data Fiduciary | Any entity (company/state) that determines the purpose and means of processing data. |
| GDPR vs DPDP Act | GDPR (EU): Fines are linked to global turnover (up to 4%). DPDP Act (India): Penalties are fixed amounts (up to ₹250 Crore) per instance, not linked to turnover. |
Q. With reference to the Digital Personal Data Protection Act, 2023, consider the following statements:
- The Central Government is empowered to notify certain Data Fiduciaries as “Significant Data Fiduciaries” based on factors like the risk to electoral democracy.
- Significant Data Fiduciaries are mandatorily required to appoint an Independent Data Auditor.
- The Act imposes penalties based on a percentage of the company’s global turnover for data breaches.
Which of the statements given above is/are correct?
(a) 1 only
(b) 1 and 2 only
(c) 2 and 3 only
(d) 1, 2 and 3
Correct Answer: (b)
Share This Story, Choose Your Platform!
Start Yours at Ajmal IAS – with Mentorship StrategyDisciplineClarityResults that Drives Success
Your dream deserves this moment — begin it here.