Press Release

Two year extension for implementation of DPDPA is mandatory for compliance: Esya Centre 

Need technical and interface changes to meet new requirements: Report 

Esya Centre, a New Delhi based think-tank, launched a comprehensive report on Digital Personal Data Protection Act, 2023 (DPDPA) titled, “An Empirical Evaluation of the Implementation Challenges of the Digital Personal Data Protection Act 2023: Insights and Recommendations for the Way Forward.” The report captures a diverse range of experiences and perspectives on the operational and technical hurdles in implementing DPDPA, incorporating insights from 16 industry stakeholders (13 data fiduciaries and three experts). 

The key findings highlight that among the 13 data fiduciaries interviewed, 54% lacked experience in implementing data protection laws in other jurisdictions, mostly firms with large user bases. Despite this, 85% have begun preliminary deliberations on DPDPA compliance. However, their preparation is hindered by the absence of rules which make up the substance of implementation for many provisions in the DPDPA. However, some data fiduciaries said that the absence of a data protection law in India until recently meant that a complete overhaul of business structures was required to implement the DPDPA.

Additionally, the need for notice and consent requirements are expected to raise compliance challenges. Specifically, Section 5(3) of the DPDPA mandates data fiduciaries to provide notices in English and all 22 languages in the Eighth Schedule of the Indian Constitution. For this, 94% indicated that implementing the language option requirement for notices will cause technical/interface changes to their products or services. In addition, respondents highlighted difficulties in translating certain legal terms, as many English legal terms about rights do not have equivalents in the languages listed in the Eighth Schedule. This suggests that only a ‘best-effort’ transliteration might be possible, raising concerns about compliance tokenism. The goal of inclusivity behind the Eighth Schedule requirement is questionable, considering the minimal population speaking some of these languages (e.g., Sanskrit) and the exclusion of popular but unscheduled languages.

Another obligation is the need for clarity on obtaining verifiable consent from parents or guardians for children and persons with disabilities. At present, the term, ‘person with disability,’ is not defined, indicating that the provision extends to both mentally and physically disabled persons. This is challenging because it might be difficult for firms to create a means to identify all kinds of disabled persons. In addition, it is also prejudicial to the rights of disabled persons who are competent to contract and can cause a potential conflict with the Rights of Persons with Disabilities Act, 2016.

Tackling these issues, the report suggests a two-year period for the implementation of the DPDPA for compliance, starting from the notification of the DPDPA rules. Similar timelines have been followed by the EU, Japan, Brazil, and the US state of California.  It also states that the rules should empower data fiduciaries to choose language options for consent notices based on customer demographics, ensuring inclusivity and easing compliance burdens. It stresses on the need to establish a mechanism for clarification of terms and provisions under the DPDPA, such as regular open-house discussions. Finally, it asks for a clarification of the scope of the term ‘Person with Disability’ to include only those severely mentally disabled or of unsound mind, respecting the rights and legal capacity of physically disabled persons. In conclusion, the report underscores that hastily implementing DPDPA will not address the issues, as effective resolutions demand a time-intensive approach.

Speaking on this, Meghna Bal, Head of Research, Esya Centre, said, “India has come a long way from the early iterations of the Data Protection Bill to the enactment of the Digital Personal Data Protection Act, 2023. The decision to eschew localisation requirements and a compliance heavy framework heralds a commitment to a progressive framework. It is now time to ensure that the prospective rules maintain the forward-thinking approach underpinning the parent Act, and preserve a compliance-light data protection regime in the country.