DPDP Bill Year: Delayed Regulations Botch India’s Data Protection Law

Experts say that once the rules are in place, they will likely impact the AI supply chain by regulating entities that process personal data. | Illustrative image

4 minutes of reading Last update: August 11, 2024 | 15:41 IST

India’s data protection law, the Digital Personal Data Protection Act (DPDPA), will complete its first year on August 12, 2024. However, even after a year, it is effectively ineffective as its provisions still cannot be enforced in the absence of detailed rules, which are yet to be promulgated.

Experts and activist groups Business Standard spoke to said the delay had caused the law to lose its effectiveness.

Aruna Sharma, former secretary of the Ministry of Electronics and Information Technology (MeitY), said the delay in notifying the rules made the Act redundant.

“There is a huge amount of private data in the digital realm and the intention of the DPDPA was to protect it. Waiting for the regulations leads to different interpretations and confusion,” she said.

Talking about the reasons behind such a long delay in the legislation, Sharma added: “The problem is that the bill was rushed through and is meant to become an Act; wider consultations are needed.”

Digital rights groups and advocates said the delay in notifying the rules creates uncertainty for businesses and limits the ability of individuals to exercise their rights under the Act, particularly in resolving complaints.

“The end user feels helpless without an easy process to deal with data breaches. They are squeezed between a heartless government that wants to extract all kinds of data without offering any guarantee of protection, and companies that want to offer convenience in exchange for data,” said Mishi Choudhary, founder of the Software Freedom Law Centre.

However, reports indicate that companies processing huge amounts of data are having difficulty complying with the law, which has been in force for a year but without any regulations.

A study published by a Delhi-based think tank in May this year found that about 85 percent of data fiduciaries have begun preliminary considerations for DPDPA compliance. “However, their preparation is hampered by the absence of rules that are at the heart of implementing many of the DPDPA provisions,” the Esya Centre report said.

According to the DPDP Act, a data fiduciary is any entity or person that determines the purpose and method of processing personal data.

“Companies like predictability. It helps them design their product roadmap, allocate budgets for compliance and hiring. Everything gets delayed in the absence of regulatory rules,” said Choudhary, speaking about how the delay is affecting companies.

“The delay in notification of the Digital Personal Data Protection Rules (DPDP Rules) has various implications for the industry and end-users. Some of the provisions under the DPDPA 2023 still require guidance and clarity to better interpret them and ensure sufficient operationalisation,” said Kamesh Shekar, Senior Programme Manager, The Dialogue.

He also said that notification of the provisions of the DPDPA 2023 must be done in phases to ensure that data fiduciaries have sufficient time to put in place meaningful operational mechanisms.

Changes over the past year

Since the Act was passed last year, there has been an increase in the number of specialist technology policy firms offering compliance services to large enterprises.

Experts believe that this phenomenon will continue to grow.

“Consulting practices, lawyers and compliance offerings will continue to grow as the industry grows and regulations are introduced. We need robust compliance measures, but the ongoing uncertainty is making everyone unsafe,” Choudhary said.

The last year was also a time of use of artificial intelligence (AI) and the challenges associated with it.

Experts say the rules, once published, are likely to impact the AI supply chain by regulating entities that process personal data, and these entities could also be classified as data fiduciaries or processors, subject to the law.

“Since AI technologies rely on massive amounts of data to train their algorithms, entities in the supply chain that process personal data can be classified as data fiduciaries and data processors, meaning they come under the DPDPA 2023,” Shekar said.

He added that there is no clarity on how consent artifacts apply to scenarios where AI applications are being developed. “For example, in a scenario where AI technology is being developed using data scraped from different places, how would AI developers obtain consent from people who are users of third-party applications?”

“Therefore, as the work progresses, the regulations need to clearly define the applicability of the DPDPA 2023 in the AI ecosystem,” he added.

First published: August 11, 2024 | 15:41 IST