Navigating the Digital Personal Data Protection Act (DPDPA): Challenges and the Road Ahead
With the Digital Personal Data Protection Act (DPDPA) now in place, the focus shifts from legislation to implementation. How can organizations adapt their digital infrastructure efficiently while ensuring compliance? Drawing parallels to past large-scale IT transitions like the Y2K challenge, experts and stakeholders convened at IIT Bombay on November 30, 2024, for an interactive workshop co-hosted by the Ashank Desai Centre for Policy Studies and IITB Trust Lab, in collaboration with Ministry of Electronics and Information Technology (MeitY) and Bureau of Indian Standards.
Structured around four key themes—Overview of the Act, Role of Standards, Consent Management, and Data Privacy & Protection—the workshop fostered discussions on practical roadblocks and strategic approaches necessary for a seamless transition.
This article is the first in a series unpacking key insights from the workshop, setting the stage for a deeper exploration of India’s evolving data protection landscape. Stay tuned!
With the passing of the Digital Personal Data Protection Bill, the legislative phase is complete, but the challenges of implementation remain. Effective execution requires the expertise of professionals who understand the intricacies of large IT systems because they bring the practical experience necessary for making such transitions, which helps mitigate the time, effort, and financial costs associated with overhauling complex digital infrastructure.
The Y2K IT problem serves as a stark reminder of the challenges posed by large-scale system changes. The estimated cost of fixing the problem ranged from $100 billion to $500 billion globally.
The Y2K IT Problem
In the late 20th century, many computer systems stored dates using two digits for the year — for instance, ’99’ for 1999 — a convention meant to save storage space which was then very scarce back then when compared with today. As the year 2000 approached, it became apparent that these systems might interpret ’00’ as 1900 instead of 2000. This posed a significant risk to systems reliant on accurate date processing, including those governing banking, utilities, transportation, and healthcare.
The potential consequences were dire: financial systems could miscalculate interest or payment schedules, utility grids could fail, and logistical operations might collapse. Addressing this issue required a massive coordinated effort globally. Governments, industries, and IT professionals worked together to review, update, and test millions of lines of code across systems.
The parallels to the current situation is clear, since this shift will also involve adapting and enhancing complex IT systems to meet new requirements. But without adequate preparation and forethought, the consequences could be severe, leading to significant monetary losses.
It must be noted that digital systems lack the assurances traditionally offered by physical systems, such as warranties. Software companies have traditionally been hesitant to provide warranties because of the inherent complexity and unpredictability of software systems.
Unlike physical products, which often have well-understood manufacturing processes and failure modes, software operates in diverse and dynamic environments. Here, bugs or incompatibilities can arise from factors beyond the developer’s control, such as hardware configurations or third-party integrations. Guaranteeing flawless performance in all possible scenarios is nearly impossible, making warranties a significant liability.
This makes trust a central concern in the digital landscape, since there is no formalised system to establish reliability in the same way as traditional industries. And the prolific increase in the presence of data in the digital ecosystem adds a new dimension to trustability — one that will be equally important if not more, for it concerns trust not just in the proper functioning of the product or service, but trusting that there is no ethical misuse of user information, something harder to discern than a technical malfunction, making it much easier for malicious actors to exploit.
To prevent and mitigate such instances, countries around the world have enacted laws — the General Data Protection Regulation (GDPR) of the European Union, enacted in 2016 and enforced from 2018, and Singapore’s Personal Data Protection Act (PDPA), enacted in 2012 and effective from 2014 are two such examples.
Overview of the DPDPA Act
The history of data protection legislation in India traces its roots back to 2011 when the government established a Committee of Experts chaired by Justice A.P. Shah. The motivation behind this was the increasing use of technology in social and welfare initiatives, particularly Aadhaar, which raised concerns about potential privacy risks. In its 2012 report, the committee emphasised the importance of protecting citizens’ privacy and recommended the creation of comprehensive privacy legislation for India. Despite the report, efforts to enact such a law had stalled for several years.
The focus on privacy resurfaced in 2017 during the Supreme Court’s deliberations on the constitutionality of Aadhaar, which had been challenged on the grounds of privacy infringement. In the landmark Justice K.S. Puttaswamy v. Union of India case, the Supreme Court unequivocally recognised privacy, including informational privacy, as a fundamental right under the Indian Constitution.
Concurrently, the government constituted another Committee of Experts under Justice B.N. Srikrishna to draft a data protection framework. This culminated in the first draft of the Personal Data Protection Bill in 2018. However, the bill underwent extensive scrutiny by a Joint Parliamentary Committee, which proposed substantial amendments, leading to the withdrawal of the draft in 2021.
In November 2022, the government introduced the refreshed Digital Personal Data Protection Bill. This updated legislation incorporated the learnings and suggestions of the past years , and eventually became the Digital Personal Data Protection Act (DPDPA) in August 2023.
Objectives & Terminology
The DPDPA aims to bring about a paradigm shift in how organisations process and manage certain types of data. The Act emphasises accountability and mandates transparency in data handling practices. Its guiding principle, encapsulated in the acronym SARAL — Simple, Accessible, Rational, Actionable Law — aims to make the framework easy to understand, despite its subject matter being concerned with modern technology.
-
Lawfulness
Data must be processed lawfully, fairly, and transparently
-
Purpose Limitation
Organisations must collect data only for specified, explicit, and legitimate purposes, ensuring it is not used for unrelated purposes
-
Data Minimisation
Data collection should be limited to what is strictly necessary for the stated purpose
-
Accuracy
Personal data must be accurate and up to date
-
Storage Limitation
Data should not be retained longer than necessary for its intended use
-
Integrity and Confidentiality
Robust security measures must protect data from unauthorised access, accidental loss, and damage
In addition, the Act aspires to be technology agnostic. This means that it should remain relevant even as newer technologies emerge, but any conclusions about its long-term resilience must wait a few years.
To better understand the Act’s implications, it is imperative to be acquainted with some terminology or key definitions in the Act under Chapter 1.
-
Data
A representation of information, facts, concepts, opinions or instructions in a manner suitable for communication, interpretation or processing by human beings or by automated means.
-
Personal Data
Any data about an individual who is identifiable by or in relation to such data
-
Digital Personal Data
Personal data in digital form
-
Personal Data Breach
Any unauthorised processing of personal data or accidental disclosure, acquisition, sharing, use, alteration, destruction or loss of access to personal data, that compromises the confidentiality, integrity or availability of personal data
-
Processing
In relation to personal data, it is a wholly or partly automated operation or set of operations performed on digital personal data, and includes operations such as collection, recording, organisation, structuring, storage, adaptation, retrieval, use, alignment or combination, indexing, sharing, disclosure by transmission, dissemination or otherwise making available, restriction, erasure or destruction
-
Data Principal
The individual to whom the personal data relates and where such individual is: (i) a child, includes the parents or lawful guardian of such a child (ii) a person with disability, includes her lawful guardian, acting on her behalf
-
Data Fiduciary
Any person who alone or in conjunction with other persons determines the purpose and means of processing of personal data
-
Data Processor
Any person who processes personal data on behalf of a Data Fiduciary
DPDPA focuses specifically on digital personal data, meaning it regulates the collection, processing, storage, and transfer of data that can identify an individual and is in digital form. It does not apply to non-personal data (for instance, aggregated or anonymised data that cannot identify individuals) or data in non-digital formats such as physical records, unless those records are digitised.
The Rights of Data Principals
The Act gives individuals several important rights pertaining to their personal digital data. These include the right to access information about their data from the Data Fiduciary with whom they have shared it. Data Principals can request a summary of the personal data being processed, details of processing activities, and information on third parties with whom the data has been shared.
However, this right has exceptions. Under Section 11(2), the government or any legally authorised entity can demand access to personal data if it is ‘for the purpose of prevention or detection or investigation of offences or cyber incidents, or for prosecution or punishment of offences’, which shall not be disclosed to the Data Principal.
Data Principals also have the right to request the correction, completion, updating, or erasure of their personal data when processing occurs based on their consent. This ensures that individuals can maintain control over the accuracy and relevance of their data in the systems of Data Fiduciaries.
Furthermore, the Act emphasises accountability by mandating that Data Fiduciaries provide easily accessible grievance redressal mechanisms for any violation of rights or obligations related to the personal data of Data Principals.
Finally, the Act enables individuals to appoint another who can exercise their data-related rights in the event of death or incapacity.
Rights of Individuals under DPDPA
- Right to access information about personal data
- Right to correction and erasure of personal data
- Right of grievance redressal
- Right to nominate
Two more points are important to note. First, the Act places special emphasis on protecting the personal data of children. It mandates that Data Fiduciaries must exercise caution in processing data that could harm a child’s well-being. Specifically, they are prohibited from engaging in activities such as tracking or behavioural monitoring of children, and targeted advertising directed at them.
Second, the Act imposes enhanced responsibilities on entities classified as Significant Data Fiduciaries — these refer to Data Fiduciaries as may be identified and notified by the Central Government based on various criteria, for instance, the volume and sensitivity of personal data handled, or the potential impact on the sovereignty and integrity of India. To maintain compliance, such entities are required to conduct periodic Data Protection Impact Assessments and audits, ensuring that their data processing practices align with the highest standards of privacy and security.
The Data Protection Board
The DPDPA provides functional freedom to Data Fiduciaries, allowing them to decide how to fulfil their obligations under the Act. However, they must demonstrate compliance when required, ensuring accountability in their processes. To oversee this very process of compliance and address grievances, the Act establishes a Data Protection Board (DPB), a statutory body responsible for monitoring data protection practices. Under Section 18(2)
The Board shall be a body corporate by the name aforesaid, having perpetual succession and a common seal, with power, subject to the provisions of this Act, to acquire, hold and dispose of property, both movable and immovable, and to contract and shall, by the said name, sue or be sued.
The Board is empowered to take action in cases of personal data breaches, whether through complaints from Data Principals, government referrals, or court directions. It can mandate urgent remedial or mitigation measures and conduct inquiries into such breaches. Additionally, the Board has the authority to impose penalties on entities found in violation of the Act, ensuring accountability and swift redressal of privacy violations.
The DPB is designed to function as an independent body, striving to operate as a digital-first office to enhance efficiency. Its inquiries and decisions are required to adhere to the principles of natural justice, which include ensuring fairness, impartiality, and transparency in decision-making processes..
To carry out its responsibilities, the Board is vested with the powers of a civil court under the Code of Civil Procedure, 1908. This enables the Board to summon individuals, examine evidence, and make binding decisions, thereby granting it significant authority to enforce the provisions of the Act and uphold data protection standards.
Anyone aggrieved by an order or direction made by the Board can appeal to the Telecom Disputes Settlement and Appellate Tribunal (TDSAT), which serves as the competent authority for further resolutions.
Questions
What procedure will the Data Protection Board follow?
A major question revolves around the operational procedure of the DPB and whether it would follow the Code of Civil Procedure (CPC) or an alternate system. While the Act grants the Board powers akin to a civil court, including summoning individuals and examining evidence, there is ambiguity about whether a more streamlined Summary Procedure will be adopted.
Given the technical nature of data privacy cases, the Board may need to rely heavily on expert input in specific cases. While the Act states that inquiries will follow the Principles of Natural Justice, further clarity from the government is essential to establish procedural norms.
How will alleged violations be investigated?
The process for investigating data violations raises multiple points of uncertainty. The existing framework under the IT Act, where definitions of “evidence” and compliance audits, like ISO 27000 standards-based audits, could potentially be leveraged. However, several critical aspects remain ambiguous:
Investigating Authority: It is unclear who would be tasked with conducting these investigations — officers from the DPB, third-party experts, or empaneled vendors are some possibilities.
Frivolous Complaints: There are some concerns about the potential misuse of the complaint mechanism by Data Principals themselves, and how they will be dealt with, which could bog down the system with trivial or baseless allegations
Compliance Demonstration: A significant gap exists regarding how data fiduciaries would demonstrate compliance with the Act.
Guidance and clarification from the Ministry of Electronics and Information Technology (MeitY) is needed to avoid problems later on.
What would be the practical impediments to a completely digital office?
While the idea of a fully digital DPB office aligns with the Act’s intent to create a seamless, technology-driven ecosystem, several practical challenges exist.
- Infrastructure Readiness: Many participants questioned whether the current digital infrastructure, particularly in rural areas, is robust enough to support such a system. For instance, lack of reliable internet access could hinder grievance registration or investigation.
- Skill Gap: Staff operating the DPB would need specialised training to handle complex data protection cases, especially if the office is entirely digital.
- Inclusivity Concerns: Marginalised communities, people without internet access, or those who rely on manual data input could face challenges engaging with a purely digital system. Solutions such as integrating post offices, police stations, or helplines for manual grievance intake can be considered as viable alternatives to ensure inclusivity.
- Language Barriers: With India’s linguistic diversity, there is a pressing need for grievance redressal mechanisms in multiple regional languages. The establishment of district or state offices can help address this issue.
A fully digital office, while ideal in theory, is impractical in the immediate future. A hybrid model combining digital and physical systems might be the most inclusive and efficient way forward.
