India embraces data privacy with DPDP Act, experts await detailed rules

Amid rising cyber threats, DPDP Act marks a pivotal step in data privacy management, with stakeholders eager for comprehensive guidelines

On January 28, 2024, the world celebrated Data Privacy Day. For India, this held particular significance, as the country had implemented the Digital Personal Data Protection (DPDP) Act the previous year.

India's long journey towards a privacy-safe environment culminated last year with the enactment of the DPDP Act after extensive deliberation and discussions. Since then, various stakeholders, including industry, law enforcement agencies, and citizens, have been awaiting the notification of detailed rules to solidify the law.

Experts argue that the absence of rules does not mean that acts not complying with the law will be overlooked once the rules are released. Instead, they suggest the possibility of reciprocal action once the rules are notified and the Data Protection Board is established.

“While there’s a delay in the rules being notified under the Digital Personal Data Protection Act 2023 (DPDPA 2023), this doesn’t mean that violations occurring until the notification of rules may not come under scrutiny. Therefore, any current activities could also fall under the scrutiny of the Data Protection Board (DPB),” said Aparajita Bharti, Co-founder of TQH Consulting.

The DPDP Act fosters a privacy-conscious digital ecosystem. Its implementation means businesses and organisations must reconsider their strategies regarding data storage, management, and usage.

“As we move forward, it is essential to notify the Digital Personal Data Protection Rules sooner to provide guidance on operationalising the Act's provisions,” said Kamesh Shekar, Senior Programme Manager at The Dialogue.

Further, there are calls for extensive consultations with all stakeholders on the rules, to ensure the regulation is balanced and addresses the interests of all.

“It is crucial to have thorough consultations and discussions with stakeholders, including industry, civil society, and experts, on the rules, so we have a data protection regulation that balances state interests, business development, and consumer protection,” Shekar added.

The delay in the notification of rules is significant, as most platforms will need to develop products based on these rules, according to experts.

“Platforms will need to develop products based on these rules. The government has been meeting various stakeholders from industry and civil society to gather feedback on the way forward. This consultative approach is necessary to identify the best path,” said Bharti.

Cyberattacks and Privacy
 

The need for regulation around data management is underscored by the rise in cyberattacks and AI.

India has seen a sharp increase in data breaches and cybersecurity incidents in recent months, leading to the online leak of users' personally identifiable information. A study by the Data Security Council of India (DSCI) and Quickheal revealed over 400 million cyberattacks in India in 2023.

While organisations like Cert-In respond to such incidents, comprehensive legislation like the DPDP is expected to streamline and prevent such incidents.

Additionally, concerns are growing about the adverse effects of artificial intelligence on data privacy worldwide. The DSCI report also notes that threat actors are using GenAI to target users with malicious emails and phishing.

While the Digital Personal Data Protection Act 2023 (DPDPA 2023) does not explicitly address its applicability to Artificial Intelligence technologies, experts say its provisions will apply appropriately to the Artificial Intelligence supply chain.

Discussing this, Shekar stated, “As AI technologies are developed using massive data amounts to train their algorithms and enhance output, entities exposed to personal identification information within the supply chain might be classified as data fiduciaries and data processors.”

Andy Teichholz, Global Industry Strategist at OpenText, believes that while businesses focus on AI development strategies, many still lack a defensible data management strategy with controls to restrict personal data usage and meet data minimisation requirements.

“Organisations continue to fail in addressing a critical first step: understanding what personal data they possess and its usage. How do companies do this effectively and efficiently? Ironically, AI is also the answer, utilising machine learning and advanced analytics to detect and protect personal data, extending beyond traditional sources to new repositories and file types (e.g., audio, video, and image data),” he said.

Data Privacy Day also serves as a reminder that aligning privacy and cybersecurity strategies is crucial as generative AI tools increasingly pervade enterprises, said Drew Bagley, VP & Counsel for Cyber Policy and Privacy at CrowdStrike.

"Responsible AI can be pivotal in protecting data against breaches. However, AI lacking privacy-by-design can introduce risk. Alongside emerging regulations, it's crucial for organisations to understand the types of generative AI being introduced into their environments and their use cases," he added.