Esya Centre, a New Delhi based think-tank, has launched a report on Digital Personal Data Protection Act, 2023 (DPDPA) titled, “An Empirical Evaluation of the Implementation Challenges of the Digital Personal Data Protection Act 2023: Insights and Recommendations for the Way Forward”. From what it’s understood, the report has captured experiences and perspectives on the operational and technical hurdles in implementing DPDPA, incorporating insights from 16 industry stakeholders (13 data fiduciaries and three experts).
According to an official release, the findings highlight that among the 13 data fiduciaries interviewed, 54% lacked experience in implementing data protection laws in other jurisdictions, mostly firms with large user bases. Despite this, 85% are understood to have begun preliminary deliberations on DPDPA compliance. However, it’s believed that their preparation is hindered by the absence of rules which make up the substance of implementation for provisions in the DPDPA. However, some data fiduciaries said that the absence of a data protection law in India until recently meant that an overhaul of business structures was required to implement the DPDPA.
Additionally, the need for notice and consent requirements are expected to raise compliance challenges. Section 5(3) of the DPDPA mandates data fiduciaries to provide notices in English and all 22 languages in the Eighth Schedule of the Indian Constitution. For this, 94% seemingly indicated that implementing the language option requirement for notices will cause technical/interface changes to their products or services. In addition, respondents highlighted difficulties in translating legal terms. Another obligation is considered the need for clarity on obtaining consent from parents or guardians for children and persons with disabilities. Tackling these issues, the report has suggested a two-year period for the implementation of the DPDPA for compliance, starting from the notification of the DPDPA rules. It has also stated that the rules should empower data fiduciaries to choose language options for consent notices based on customer demographics. It has stressed on the need to establish a mechanism for clarification of terms and provisions under the DPDPA. Finally, it has asked for a clarification of the scope of the term ‘Person with Disability’ to include only those mentally disabled or of unsound mind. In conclusion, the report has underscored that implementing DPDPA will not address the issues, as effective resolutions demand a time-intensive approach.
“I believe India has come a long way from the early iterations of the Data Protection Bill to the enactment of the Digital Personal Data Protection Act, 2023. The decision to eschew localisation requirements and a compliance heavy framework aims to herald a commitment to a progressive framework. I think it is now time to ensure that the prospective rules maintain the forward-thinking approach underpinning the parent Act, and preserve a compliance-light data protection regime in the country,” Meghna Bal, head of research, Esya Centre, said.
