The Digital Personal Data Protection Act, 2023 (DPDP Act) is a new data privacy legislation in India that aims to provide compliance expectations for data fiduciaries. While the law brings relief by ensuring that personal data must be collected and processed in accordance with legal requirements, there are several gaps and uncertainties that it raises.

One major concern is the lack of provisions regulating the purpose for which data can be collected and how it can be used, as long as it is deemed legitimate. This means that algorithms and AI-based applications can continue to exploit personal data for advertising purposes and other potentially unethical uses, except in the case of children. Additionally, it remains unclear how the consent of parents or guardians for children’s data can be effectively verified.

Another challenge is the enforcement of the law. The success of the DPDP Act relies on citizens being aware of their rights and utilizing the grievance redressal mechanism. However, there are no obligations for authorities to educate citizens about their rights or to conduct compliance audits. This lack of enforcement mechanisms weakens the effectiveness of the law.

The DPDP Act also lacks clarity on what constitutes “reasonable security measures” for data fiduciaries to prevent data breaches. While it is hoped that the rules that follow the Act will address this issue, the current lack of specificity raises concerns about maintaining robust data security practices.

Furthermore, the Act creates inconsistencies when read alongside the Right to Persons with Disabilities Act, 2016 (RPWD Act). The DPDP Act requires verifiable consent from the lawful guardian of a person with disabilities, but this contradicts the legal capacity recognition provided by the RPWD Act. The interplay between these two acts needs to be harmoniously interpreted to ensure the rights of people with disabilities.

As these ambiguities are likely to be addressed through litigation and judicial interpretation, it is important for the Ministry of Electronics and Information Technology (MEITY) to proactively amend the law or issue rules that provide clarity. This will ensure that the DPDP Act can effectively protect personal data while addressing the challenges and gaps it currently presents.

