Don’t miss the latest developments in business and finance.

54% data fiduciaries lack experience in enforcing data protection laws

The research findings are based on the provisions of India's Digital Personal Data Protection (DPDP) Act that was passed by both the houses of parliament in August 2023

Personal data protection
Illustration: Ajay Mohanty
Ashutosh Mishra New Delhi
4 min read Last Updated : May 28 2024 | 2:09 PM IST
More than 50 per cent of data fiduciaries with a significant user base in India lack experience in implementing data protection laws in other jurisdictions across the world, according to a report by a Delhi-based think tank. The report captures a diverse range of experiences and perspectives on the operational and technical hurdles in implementing the Digital Personal Data Protection Act (DPDPA).

The report found that 85 percent of fiduciaries had begun preliminary deliberations on DPDPA compliance. "However, their preparation is hindered by the absence of rules that make up the substance of implementation for many provisions in the DPDPA," the research explained.

The research findings are based on the provisions of India's Digital Personal Data Protection (DPDP) Act that was "passed by both the houses of parliament in August 2023". The rules for the Act are yet to be released for public consultation.

The findings are part of the research carried out by the think tank Esya Centre in a report called "An Empirical Evaluation of the Implementation Challenges of the Digital Personal Data Protection Act 2023: Insights and Recommendations for the Way Forward." It has involved insights from 16 industry stakeholders, of which 13 are data fiduciaries and three are experts.

"India has come a long way from the early iterations of the Data Protection Bill to the enactment of the Digital Personal Data Protection Act, 2023. The decision to eschew localization requirements and a compliance-heavy framework heralds a commitment to a progressive framework. It is now time to ensure that the prospective rules maintain the forward-thinking approach underpinning the parent Act and preserve a compliance-light data protection regime in the country," said Meghna Bal, Head of Research, Esya Centre.

The report further found that around 94 percent of the respondents also indicated that implementing the language option requirement for notices as mandated under the act will cause technical changes to their products or services.

According to the report, respondents highlighted difficulties in translating certain legal terms, as many English legal terms about rights do not have equivalents in the languages listed in the Eighth Schedule.

Also Read


"This suggests that only a 'best-effort' transliteration might be possible, raising concerns about compliance tokenism. The goal of inclusivity behind the Eighth Schedule requirement is questionable, considering the minimal population speaking some of these languages (e.g., Sanskrit) and the exclusion of popular but unscheduled languages," the report further added.

Another requirement that the report points out is to establish clear guidelines for securing verifiable consent from parents or guardians of children and individuals with disabilities. Currently, the term "person with disability" lacks a specific definition, implying that this provision covers both mentally and physically disabled individuals, says the research.

"This is challenging because it might be difficult for firms to create a means to identify all kinds of disabled persons. In addition, it is also prejudicial to the rights of disabled persons who are competent to contract and can cause a potential conflict with the Rights of Persons with Disabilities Act, 2016," the research comments.

To address these issues, one of the key solutions the research proposes is a two-year timeframe for complying with the DPDP Act, starting from the notification of the rules, similar to the timelines that were adopted by the EU, Japan, Brazil, and the US state of California.

Further, it recommends granting data fiduciaries the authority to select language options for consent notices based on customer demographics.

It also underlines the need for regular open-house discussions to clarify terms and provisions under the DPDP. Additionally, it asks for "a clarification of the scope of the term 'Person with Disability' to include only those severely mentally disabled or of unsound mind, respecting the rights and legal capacity of physically disabled persons."

More From This Section

Topics :data protection lawsBill on personal data collectionIndian companies

First Published: Jan 18 2024 | 8:07 PM IST

Next Story