Industry Experts Call for Clarity on Digital Personal Data Protection Act Rules
The implementation of the Digital Personal Data Protection (DPDP) Act in India has left many industry stakeholders seeking clarity, particularly regarding user consent procedures for personal data processing and specific regulations on children’s data. Experts have highlighted the urgency of defining these aspects, as businesses prepare for compliance with the new law.
Enacted by the Indian Parliament in August 2023, the DPDP Act establishes a framework for the handling of personal data by designated entities, referred to as "data fiduciaries." While the act is a significant advancement in data protection, the absence of detailed rules governing its application has left organizations somewhat in the dark. Experts are particularly focused on how consent should be obtained, especially for minors, as well as the processes surrounding data breach notifications, which have yet to be thoroughly defined.
Aparajita Bharti, co-founder of the public policy consulting firm Quantum Hub, emphasized that businesses are eager for clear guidelines related to parental consent for children’s data. The act mandates that data fiduciaries secure verifiable consent from a child’s parent or guardian, but specifies only that this must be done in a manner "as may be prescribed," prompting anticipation for the upcoming DPDP Rules. Bharti noted that clarity on what qualifies as "verifiably safe" for child data is crucial, particularly for platforms catering to users under the age of 18.
Adding to the discourse, Sreenidhi Srinivasan, a partner at Ikigai Law, pointed out that various companies are also keen to understand the process for notifying the Data Protection Board in the event of data breaches. The current regulations have left this procedural detail open to the DPDP Rules, creating uncertainty for enterprises aiming to align their operations with the new legal landscape.
While many companies are already taking proactive steps towards regulatory compliance, they are still poised for further details regarding breach notification procedures and data retention timelines. Srinivasan noted that the timing of the DPDP Rules’ implementation plays a pivotal role in determining how businesses adapt their data handling practices in accordance with the law.
Mishi Choudhary, founder of the digital rights advocacy group SFLC.in, underlined how essential it is for businesses to have a clear understanding of when these rules will come into effect. She remarked that the timeline for implementation will greatly influence how organizations modify their policies to comply with the DPDP Act.
Furthermore, Choudhary urged for elaboration on the exemptions that may apply to certain classes of data fiduciaries, including start-ups. The DPDP Act allows the central government to exempt specific entities from certain obligations, such as notifying users for consent or ensuring the accuracy of personal data. However, this provision requires additional clarity to ensure that businesses know the criteria for these exemptions.
As businesses await the rollout of the DPDP Rules, it’s important to consider the potential implications for data protection compliance. Choudhary emphasized that effective enforcement is critical for the Act’s success, drawing a parallel to the European Union’s General Data Protection Regulation (GDPR), which has established itself through stringent enforcement and significant penalties.
In summary, the DPDP Act holds potential for enhancing data protection in India, but the forthcoming rules will be critical in determining the operational landscape for businesses. The urgency for clarity on consent, children’s data handling, and breach notifications reflects a broader industry concern as firms navigate a new world of data compliance.
