Come May 2027, a flurry of earnest pleas to “take a moment to confirm your preferences” or “please read our updated privacy policies!” will flood your inboxes, en masse, from every dusty corner of your digital past. These well-mannered messages will signal the operationalisation of India’s first law on data protection, the Digital Personal Data Protection Act. With the passage of corresponding rules last week, the law comes into effect in 18 months. It will change how all of us use the internet.
What is the new law?
The DPDP Act is India’s attempt to regulate how companies use personal data of users. The law requires companies to be transparent with what personal data they gather and why, and get users’ consent via the press of a button, before processing it. Users are guaranteed rights to ensure access to their personal data and the ability to demand for it to be erased. For example, if a user provides a company with their email address in the course of using their service, they can later demand that the company remove it from its records.
Among other requirements, the law requires companies to adhere to minimum security standards and notify users of any data breach, irrespective of severity. Consent notices reaching users need to be clear, specific, unambiguous and unconditional, setting a higher bar for companies to target services or advertising, using personal information.
The law also restricts targeting advertisements to children and limits any monitoring or tracking activities of minors to activities essential for safeguarding their safety, educational development or well-being.
Also read: DPDP Act offers no special protection for disability data. It leaves PwDs vulnerable
What does it mean for users?
At its core, data protection is a tool for users to exercise control over their data. But it also depends on user agency and capacity.
The DPDP Act’s simple framing will allow users to take the first step of familiarising themselves with the rights and duties under the law. This exercise is not merely going to be an optional homework, but the only way the rights under the Act will work in practice and in effect prove efficacy of the law. Users are expected to know how to give or withdraw consent, ask why their data is being processed, update or erase data and even nominate someone to act on their behalf. Crucially, when a data breach occurs, the law assumes users are equipped enough to act on any remedial guidance they receive following a breach.
The need for verifiable parental/guardian consent will also change how children or persons with disabilities (PwDs) interact with digital services. Users will need to jump through hoops of age-gating at the stage of sign-on, and for children and PwDs, the additional friction of only accessing services after duly verifying verification of their parent/guardian’s identity. As more digital services move behind verification flows, the challenge will be ensuring safety without limiting access.
Also read: 6 reasons why privacy is a lost cause in India. Don’t wait for DPDP Act to fix it
Making the law work
It’s one thing to have the law on the books, quite another to implement it effectively.
For one, India does not have a data protection regulator to make good on the DPDP Act’s promise and articulate clear future standards or codes to help companies adapt to the evolving strides in the digital economy. Instead, the law provisions for a data protection board, an adjudicatory body, with the limited mandate of imposing penalties on companies violating the Act. This leaves India without a specialised body, equipped with enforcement tools and the ability to provide clarity on standards the law leaves undefined.
Then there is the issue of consent fatigue of internet users, and the clogging of inboxes with eager notices. Europe showed within months of its data protection law coming into effect, the General Data Protection Regulation, that heavy fines, without clear guidance, can push companies into excessive caution. Realistically, most notices will not be readable and will be marred with legalese and technical jargon, even if the law says otherwise.
The relevance of consent as a mechanism to process personal data will also be challenged by the speed of technological change, including the proliferation of artificial intelligence (AI) and machine learning. AI is set to permeate all aspects of a users’ everyday interaction with digital services. It is hard to imagine a truly frictionless or fully informed consent experience for users when they are surrounded by the next generation of the ‘internet of things’ in the form of AI-enabled cars, washing machines, fridges and so on. India may eventually need to explore alternative approaches to data protection.
Finally, the government perhaps hopes that the fines in the law will act as a strong deterrent for defaulters. Erring companies found violating the Act risk penalties up to Rs 250 crore. They certainly have their task cut out over the next 18 months, as data protection can no longer be an afterthought. But the government must simultaneously work on educating users on the law. Gradually, a body of jurisprudence will take shape as users bring cases before the data protection board. While such legal proceedings may lack the spectacle of high-profile corporate scandals, they may ultimately define the efficacy of the data protection regime in India.
The authors work at Koan Advisory Group, a technology policy consulting firm. Views are personal.
This article is part of ThePrint-Koan Advisory series that analyses emerging policies, laws and regulations in India’s technology sector. Read all the articles here.
(Edited by Theres Sudeep)