 "data protection digital competition bill meity")
Experts believe once the rules are out, they will probably impact the AI supply chain by regulating entities handling personal data. | Representative Picture
India’s data protection law, the Digital Personal Data Protection Act (DPDPA), will complete its first year on August 12, 2024. However, even after a year, it is virtually ineffective as the provisions still cannot be enforced in the absence of detailed rules, which are yet to be notified.
Experts and advocacy groups that Business Standard spoke to said this delay has made the Act lose its effectiveness.
Aruna Sharma, former secretary, Ministry of Electronics and Information Technology (MeitY), said that the delay in the notification of rules has made the Act redundant.
“There is a humongous amount of private data in the digital zone, and the intention through the DPDPA was to protect the same. Awaiting the rules is resulting in different interpretations and confusion,” she said.
Talking about why the rules have been delayed so much, Sharma further added, “A hurriedly passed Bill to come up with an Act is the issue; there is a need for wider consultation.”
Digital rights and advocacy groups said that the delay in the notification of rules is creating business uncertainty and has limited individuals’ ability to exercise rights given to them under the Act, especially when it comes to grievance redressal.
“The end user feels helpless without any recourse to an easy process for data breaches. They are squeezed between a callous government that wants to extract all kinds of data without offering any assurance of protection and companies that want to offer convenience in exchange for data,” said Mishi Choudhary, founder, Software Freedom Law Centre.
However, reports suggest that companies that deal with vast amounts of data are finding it hard to comply with the Act, which has been in place for a year now but without the rules.
A study released by a Delhi-based think tank in May this year said that around 85 per cent of data fiduciaries had begun preliminary deliberations on DPDPA compliance. “However, their preparation is hindered by the absence of rules that make up the substance of implementation for many provisions in the DPDPA,” the report by Esya Centre said.
A data fiduciary, under the DPDP Act, is any entity or individual that determines the purpose and means of processing personal data.
“Businesses like predictability. That helps them design a product roadmap, allocate budgets for compliance and recruitment. Everything is delayed in the absence of governing rules,” said Choudhary, talking about how the delay is impacting businesses.
“The delay in the notification of the Digital Personal Data Protection Rules (DPDP Rules) has various implications for the industry and end users. Some of the provisions within the DPDPA 2023 still need directions and clarity for better interpretation and sufficient operationalisation of the same,” said Kamesh Shekar, senior programme manager, The Dialogue.
He also said that the notification of the provisions of the DPDPA 2023 must be done in a phased manner so that data fiduciaries get enough time for meaningful operational mechanisms to comply.
Changes in the past one year
With the passage of the Act, the past year has seen a rise in specialised tech-policy firms offering compliance services to big companies on the provisions of the Act.
Experts believe that this will continue to grow further.
“Consulting practices, lawyers, and compliance offerings will only grow with the size of the industry and the enactment of rules. We need robust measures for compliance, but continued uncertainty leaves everyone unsafe,” said Choudhary.
The last year also saw the use of artificial intelligence (AI) and its related challenges.
Experts believe once the rules are out, they will probably impact the AI supply chain by regulating entities handling personal data, and these entities might also be classified as data fiduciaries or processors subject to the law’s provisions.
“As AI technologies rely on massive amounts of data to train their algorithms, entities within the supply chain that handle personal identification information may be classified as data fiduciaries and data processors, thereby falling under the purview of the DPDPA 2023,” said Shekar.
He further said that there was less clarity in terms of how consent artifacts apply in scenarios where AI applications are developed. “For instance, in a scenario where AI technology is developed using data scraped from different places, how could AI developers obtain the consent of individuals who are users of third-party applications?”
“Therefore, as we move forward, it will be essential for the rules to clarify the applicability of the DPDPA 2023 within the AI ecosystem,” he added.
First Published: Aug 11 2024 | 3:41 PM IS