India’s data protection law — the Digital Personal Data Protection Act (DPDPA) — will complete its first year on August 12, 2024.
However, even after a year, it is virtually ineffective as the provisions still can't be enforced in absence of detailed rules, which are yet to be notified.
Experts and advocacy groups that Business Standard spoke to said this delay has made the Act lose its effectiveness.
Aruna Sharma, former secretary, Ministry of Electronics and Information Technology (MeitY), said the delay in notification of rules has made the Act redundant.
“There are humongous amounts of private data in the digital zone available and the intention (through the DPDPA) was to protect them. Awaiting rules and this is resulting in different interpretations and confusions,” she said.
Speaking about why the rules have been delayed so much, Sharma added, “A hurriedly passed Bill to come up with an Act is the issue. There is a need for wider consultation.”
Digital rights and advocacy groups said the delay in notification of rules is creating business uncertainty.
“The end user feels helpless without any recourse to an easy process for data breaches. He is squeezed between a callous government that wants to extract all kinds of data without offering any assurance of protection and companies that want to offer convenience in exchange of data,” said Mishi Choudhary, founder, Software Freedom Law Centre.
However, reports suggest that companies that deal with vast amounts of data are finding it hard to comply with the Act, which has been in place for a year now but without the rules.
A study released by a Delhi-based think tank in May this year said that around 85 per cent of data fiduciaries had begun preliminary deliberations on DPDPA compliance.
“However, their preparation is hindered by the absence of rules that make up the substance of implementation for many provisions in the DPDPA,” the report by Esya Centre said.
A data fiduciary, under the DPDP Act, is any entity or individual that determines the purpose and means of processing personal data.
“Business likes predictability. That helps them design a product roadmap, allocate budget for compliance and recruitment. Everything is delayed in absence of governing rules,” said Chaudhary.
“The delay in notification of the DPDP Rules has various implications for the industry and end users. Some of the provisions within the DPDPA 2023 still need directions and clarity for better interpretation and sufficient operationalisation,” said Kamesh Shekar, senior programme manager, the Dialogue.
He also said the notification of the provisions of the DPDPA 2023 must be done in a phased manner so that data fiduciaries get enough timeframe for meaningful operational mechanisms to comply with.
Changes in the past one-year
With the passage of the Act, the past one year has seen a rise in specialised tech-policy firms giving compliance services to big companies on the provisions of the Act. Experts believe that this will continue to grow.
“Consulting practices, lawyers and compliance offerings will only grow with the size of the industry and enactment of rules.
We need robust measures for compliance but continued uncertainty leaves everyone unsafe,” said Chaudhary.
The last one year also saw the use of artificial intelligence (AI) and its related challenges.
Experts believe once the rules are out, they will probably impact the AI supply chain by regulating entities handling personal data. They may also be classified as data fiduciaries or processors subject to the law's provisions.
“As AI technologies rely on massive amounts of data to train their algorithms, entities within the supply chain that handle personal identification information may be classified as data fiduciaries and data processors. They will fall under the purview of the DPDPA 2023,” said Shekar.
Existing concerns
Digital rights and advocacy groups say that the delay in notification of rules is creating business uncertainty, and has limited individuals’ ability to exercise their rights
Reports suggest that companies that deal with vast amount of data are finding it hard to comply with the Act
Around 85% of data fiduciaries had begun preliminary deliberations on DPDPA compliance
The last one year has seen a rise in specialised tech-policy firms giving compliance services to big companies on the provisions of the Act
It also saw the use of AI and it’s related challenges. Experts believe once the rules are out, it’ll impact the AI supply chain
 "One year of DPDP Act: Firms in a fix over delayed implementation of rules")
