A two-year extension for implementation of the Digital Personal Data Protection Act, 2023(DPDPA) is required for compliance, suggests a report by think tank Esya Centre.

The report titled, “An Empirical Evaluation of the Implementation Challenges of the Digital Personal Data Protection Act 2023: Insights and Recommendations for the Way Forward” notes that among the 13 data fiduciaries interviewed, 54 per cent lacked experience in implementing data protection laws in other jurisdictions, mostly firms with large user bases.

Despite this, 85 per cent have begun preliminary deliberations on DPDPA compliance. However, their preparation is hindered by the absence of rules which make up the substance of implementation for many provisions in the DPDPA.

Some data fiduciaries said that the absence of a data protection law in India until recently meant that a complete overhaul of business structures was required to implement the DPDPA.

Compliance challenges

Additionally, the need for notice and consent requirements is expected to raise compliance challenges. Specifically, Section 5(3) of the DPDPA mandates data fiduciaries to provide notices in English and all 22 languages in the Eighth Schedule of the Indian Constitution.

For this, 94 per cent indicated that implementing the language option requirement for notices will cause technical/interface changes to their products or services. This suggests that only a ‘best-effort’ transliteration might be possible, raising concerns about compliance tokenism.

Another obligation is the need for clarity on obtaining verifiable consent from parents or guardians for children and persons with disabilities. At present, the term, ‘person with disability,’ is not defined, indicating that the provision extends to both mentally and physically disabled persons. This is challenging because it might be difficult for firms to create a means to identify all kinds of disabled persons.

Meghna Bal, Head of Research, Esya Centre, said, “The decision to eschew localisation requirements and a compliance-heavy framework heralds a commitment to a progressive framework. It is now time to ensure that the prospective rules maintain the forward-thinking approach underpinning the parent Act and preserve a compliance-light data protection regime in the country.”

Tackling these issues, the report suggests a two-year period for the implementation of the DPDPA for compliance, starting from the notification of the DPDPA rules. Similar timelines have been followed by the EU, Japan, Brazil and the US state of California. It also states that the rules should empower data fiduciaries to choose language options for consent notices based on customer demographics, ensuring inclusivity and easing compliance burdens.

It also stresses on the need to establish a mechanism for clarification of terms and provisions under the DPDPA, such as regular open-house discussions. Finally, it asks for a clarification of the scope of the term ‘Person with Disability’ to include only those severely mentally disabled or of unsound mind, respecting the rights and legal capacity of physically disabled persons.