A recent study conducted by a Delhi-based think tank reveals that over half of data fiduciaries with a substantial user base in India lack experience in applying data protection laws in global jurisdictions. The comprehensive report, titled "An Empirical Evaluation of the Implementation Challenges of the Digital Personal Data Protection Act 2023: Insights and Recommendations for the Way Forward," sheds light on various operational and technical obstacles faced in executing the Digital Personal Data Protection Act (DPDPA).


According to the findings, 85 per cent of fiduciaries have initiated preliminary discussions on DPDPA compliance. However, the absence of specific rules defining the implementation details for many DPDPA provisions hampers their preparation, as elucidated by the research. The report draws insights from the provisions of India's Digital Personal Data Protection (DPDP) Act, enacted in August 2023, for which public consultation rules are yet to be released.


The research, conducted by the Esya Centre think tank with inputs from 16 industry stakeholders, including 13 data fiduciaries and three experts, highlights the progress from earlier versions of the Data Protection Bill to the enactment of the DPDPA in 2023. Meghna Bal, Head of Research at Esya Centre, emphasises the need to maintain a progressive and compliance-light data protection regime.


An intriguing aspect identified by the report is that 94 per cent of respondents anticipate technical changes to their products or services due to the language option requirement for notices mandated by the DPDPA. The challenges lie in translating legal terms, particularly when English terms about rights lack equivalents in languages listed in the Eighth Schedule.


The report also underscores the need for clear guidelines on obtaining verifiable consent from parents or guardians of children and individuals with disabilities. The ambiguous definition of "person with a disability" creates challenges in identifying and accommodating disabled individuals, potentially conflicting with the Rights of Persons with Disabilities Act, 2016.


To address these concerns, the research proposes a two-year compliance timeframe for the DPDP Act, similar to global timelines adopted by the EU, Japan, Brazil, and the US state of California. It recommends granting data fiduciaries the authority to choose language options for consent notices based on customer demographics. Additionally, the report advocates for regular open-house discussions to clarify DPDP terms and provisions and calls for a refined scope of the term "Person with Disability" to align with the rights and legal capacity of physically disabled persons.