India navigating hurdles in implementing data protection law

The newly enacted Digital Personal Data Protection (DPDP) Act of 2023 aims to protect individuals' digital personal data and ensure compliance by data fiduciaries. Increasingly, we are dealing with companies or platforms that we refer to as data fiduciaries. The Act casts certain obligations on data principals and data fiduciaries.

India has been circumnavigating snags in employing its data protection laws, which intend to safeguard the privacy and security of personal data. However, akin to any big endeavour, there are numerous hurdles in transit, including defining jurisdiction, ensuring compliance from companies, establishing infrastructure for security, data localisation, etc.

Nevertheless, the government is enthusiastically driving towards the same to guarantee active implementation and protection of the data.  

Critical compliances organisations collecting personal data must abide by include obtaining lawful consent, special consideration for minors, providing a withdrawal mechanism, specifying terms and conditions in user agreements, implementing adequate security measures, and reporting data breaches.

Employing techniques such as data masking and encryption and allowing limited access are ways to mitigate the risks associated with data.

The fundamental tenets of the Digital Data Protection Act are as follows: 

• Currently, the DPDP Act highlights how crucial it is for companies to put administrative and technical protections besides appropriate security measures to prevent personal data breaches in India.
• Accountability is emphasised; data fiduciaries are the organisations in charge of deciding why and how to process personal data, and they are penalised for any infractions—even if they occur when carried out by third-party operators.
• According to this legislation, organisations must put in place organisational and technical protections and adequate safety precautions to secure sensitive data and stop data breaches.
• A crucial component is accountability, whereby the organisation serving as a data fiduciary and choosing the means and purposes for processing personal data is legally accountable. 

However, the ambiguity around schedules for execution is one crucial factor. The regulations should also include information on the timelines for various responsibilities, like answering demands for data erasure. The transfer of legislative authority and the requirement for a more rigid framework provide further difficulties. The industry is currently contrasting the DPDP Act with fully developed legislation such as the General Data Protection Regulation (GDPR).

However, a more complete set of regulations will be available once the accompanying DPDP rules are released. Finding a balance between privacy protection and promoting innovation and economic growth also poses challenges. Ensuring compliance by organisations of all scales is a challenging task, especially for small businesses with limited resources. 

The DPDP Act requires smaller companies and startups to completely rework their backend and frontend to comply with the new law. They have been collecting the personal information of users at varying stages and have had little say in how this information is used, having limited resources, which is why they need more time.

This would require an effective enforcement mechanism to hold the violators accountable. After these points are made clear, companies will be able to proceed with a deeper comprehension of the real-world effects and difficulties associated with putting the DPDP Act into practice.

It is notable that for startups or other notified categories of data fiduciaries—under section 17(3) of the DPDP Act, 2023—there is specific mention in regards to the power of the government to exempt startups from being obligated to comply with some of the provisions of the law, having regard to the volume and nature of personal data processed.

Digital Personal Data Protection Act of 2023 marks a significant step towards safeguarding individuals' digital personal data and promoting responsible data practices in the industry.

Vineet Kumar is the Founder and President of Cyber Peace Foundation.