DPDP Act's long gestation period raises questions about its efficacy

The DPDP Act comes with a long gestation period. What does that mean for its efficacy?

Nearly seventeen months after Parliament cleared the much-debated Digital Personal Data Protection Act (DPDP) 2023 and the President gave assent to it, the ministry of electronics and information technology (Meity) last week released the draft rules for its implementation. But the Act, which is meant to balance regulation and innovation while protecting citizens’ rights, is still some way from becoming reality. MeitY has given 45 days for public consultation on the guidelines: Till February 18. 

MeitY Minister Ashwini Vaishnaw said he expected the final rules to be placed in the Monsoon Session of Parliament, after which digital entities will get two years to adapt their systems to comply with the new law. So, if everything goes well, they have time till July 2027 or so.

 

Many experts and advocacy groups say the long period of gestation has made the new law less effective. With more time still to go for its implementation, citizens will be left to fend for themselves with little redressal for data breaches. 

The government says the time taken was required, because the industry wanted extensive consultation. In addition, there was no global reference point, except the stringent European rules for data protection. So India had to work its way from the ground up. 

Global tech players agree, saying the Act that was passed was certainly a big improvement over its earlier iterations. So broader consultations did help. Yet, at a broader level, many are concerned over the two more years that MeitY is willing to give digital companies, instead of adopting the graded approach it had earlier put in place for implementation. 

Just a few days after the Bill was cleared last August, minister of state in MeitY at that time, Rajeev Chandrasekhar, had publicly said the government will implement the law first for Big Tech firms, such as Google, Amazon, Microsoft, and Apple Inc, which are already prepared as they have done it in Europe, followed by smaller entities and startups, and then perhaps government entities. 

The government however seems to have accepted the demand of the Big Tech. When the Bill was passed in Parliament last year, they had said they would need anything between 18 and 24 months to put in place the mechanism for implementing it. Due to the gap between the Act being passed and the rules being framed, Big Tech has already had 17 months, and there is still some time left before the rules are finally cleared and adopted.

 

Big Tech’s big concerns 

To be fair, though, even significant data fiduciaries (SDFs), which include the global Big Techs, have some serious concerns on what they see are additional burdens being imposed on them on localisation of data and cross-border data transfers.  The draft rules, for instance, have introduced a new obligation for SDFs, such as ensuring no transfer of personal data or traffic outside India if identified by the Central government based on recommendations of the newly constituted “committee”. 

The government in the initial stages had considered allowing processing of sensitive personal data abroad with the condition that a copy of the data be stored in India. But it quickly realised that was not in sync with the move towards digitisation in the country and decided to go for restrictions in personal data transfer in certain countries but allowing in most others which mattered.    

But the draft rules have brought in a new twist. Says a top executive of a US global tech firm: “The draft rules are in conflict with the DPDP Act, which does not provide for the constitution of a committee to impose restrictions at all. These led to concern of overreach by the government and create a layer of bureaucracy not envisaged in the Act.”

 

He points out other “ambig­uities” in cross-border data transfers. For instance, the draft rules specify that entities processing personal data in India or outside (related to goods and services being offered to Indian citizens) may transfer such data only if there is no restriction imposed by the Central government under the DPDP Act. “But the Act only restricts transfers to specific countries and territories by notification. It does not impose conditions on data transfer outside India,” says the executive.

The other area of concern for Big Tech is that the rules give the government huge residual powers. The lawyers of Big Tech say the retention of broad discretionary powers by the government under the guidelines will lead to policy unpredictability, leaving the government with too much room to operate on a case-by-case basis, hampering compliance efforts as stakeholders struggle with rules and policy.

 

Impact assessment 

Big Tech has also raised questions on the rules under which SDFs have to provide the government a data protection impact assessment and audit every year. However, law firm Shardul Amarchand Mangaldas, in a note, points out that there is no clarity on what is impact assess­ment and audit and what they will entail.

 

Another debate is over the consent requirement for children (those under 18 years) — an area where countries across the world have had major debates. Australia, for instance, has decided to ban access to social media for children below 16.

MeitY officials say a blanket ban does not suit India, where a lot of education happens online. Instead, the draft rules ask for verifiable consent from parents or lawful guardians prior to processing their personal data. It has placed the onus on “data fiduciaries” to conduct due diligence and ensure verification. 

The draft rules also waive consent requirement for processing of personal data of children for “certain” purposes.  These include processing data to ensure that harmful information is not accessed by them and processing data for creating email accounts for children to be able to communicate.     

 

Not so easy 

All this, of course, has major challenges of implementation. Shradul Amarchand says the first problem is that the draft rules do not provide guidance on how the data fiduciary will establish whether a person is a minor or not. MeitY had last year looked at DigiLocker and Aadhaar as ways to verify the age, but did not find the method effective. 

Many tech companies are worried about the stringent rules for the “consent manager”, who would be playing a key role in ensuring safety of the data. But their role comes with serious operational challenges. The rules say they are required to meet specific obligations with the threat of suspension or cancellation of their registration for noncom­pliance. “This could lead to operational uncertainty and discourage innovation in the consent manager space,” says the legal head of a tech firm. 

The draft rules however provide much-needed clarity in some areas. The Act required that data fiduciaries could not retain personal data beyond the purpose for which it was collected, but did not specify the retention period. The draft rules fix the retention period. So, for instance, ecommerce and social media intermediaries with 20 million registered users have to remove personal data if the user has not used the account for more than three years or not contacted the data fiduciary within three years of the commenc­ement of the rule. The same applies to gaming companies with 5 million users.

 

That said, there are many questions the government will need to address in the coming weeks. 

NOT SO FAST 

December 4,  2019: Personal Data Protection Bill (PDPB) cleared by Union Cabinet 

December 11,  2019: Placed in Parliament 

August 2022: PDPB withdrawn 

November 2022: Revamped Bill — Digital Personal Data Protection (DPDP) Bill released for public consultation 

July 2023: DPDP Bill cleared by Cabinet 

August 11, 2023: DPDP Act enacted, gets President’s signature 

January 3,  2005: Draft rules released by MeitYa 

February 18,  2025: Last day for stakeholder comments on the draft rules 

July 2025: Rules to be placed for clearance in the Monsoon Session 

of Parliament

 

WHAT THE DRAFT RULES SAY 

Verifiable consent from parents will have to be obtained before processing personal data of those below 18 years, with some exemptions 

Consent managers have be to registered, after which they will have obligations; failure to meet obligations would mean suspension or cancellation of registration 

Central government empowered to seek information from data fiduciary for purposes related to sovereignty and integrity of India or national security, and also for notifying a data fiduciary as SDF (significant data fiduciary) 

SDFs to ensure they do not transfer any personal data outside India as may be identified by the Central government