Sohini Banerjee* and Anmol Bharuka**
The Digital Personal Data Protection Act, 2023 does not define any clear transition periods for its implementation. In this article, we explore the significance of transition periods in ensuring regulatory compliance in the context of data protection frameworks. In doing so, we emphasize on the need for a well-defined and extended transition period, along with a staggered implementation approach to accommodate the challenges posed by the novel standards introduced.
Introduction
The Digital Personal Data Protection Act, 2023 (“DPDP Act”) received Presidential assent in August 2023 after multiple iterations beginning from 2018. The law will have widespread ramifications for all stakeholders involved in the Indian digital ecosystem, requiring industry stakeholders to have a firm grasp on the new regulations.
In this article, we will examine the significance of adequate transition periods in ensuring regulatory compliance with the data protection regime in India. Transition periods, typically, allow the regulated entities a defined time frame within which they must ensure compliance with the new requirements put forth by a regulatory authority. In the context of data protection, while the DPDP Act introduces multiple obligations on entities, it has not provided sufficient clarity on the timeline within which compliance has to be undertaken.
Hence, we argue that the Ministry of Electronics and Information Technology (“MeitY”) needs to account for the novelty of such standards for the digital ecosystem in India and provide a clearly defined and adequate transition period under the DPDP Act. This would inter alia involve taking policy decisions to firstly, ensure an extended transition period which ranges between 18-24 months, and secondly, ensure that such provisions come into force in a staggered manner.
Previous drafts of the data protection law have adopted different approaches to sketching out a transition period. While Section 97 of the 2018 version broadly set the transition period as 12 months; the later versions (i.e., Section 1(2) of the 2019 version, Section 1(2) of the Joint Parliamentary Committee’s 2021 version, and Section 1(2) of the 2022 version) broadly stated that the proposed act would come into force as and when notified by the government. A similar approach has been followed in Section 1(2) of the DPDP Act. However, this approach creates ambiguity around the actual time data fiduciaries may get for implementing various onerous obligations, which range from age-gating their services for children to sending notices obtaining consent for data collected prior to commencement of the DPDP Act. Given the steep penalties imposed by the law, due compliance with the standards set forth will prove to be an existential aspect for industry.
Global practices
Evidently, global practice around the passage of a data protection regime and its implementation has ensured that the relevant stakeholders get adequate time for implementation by keeping a sufficient gap between passing of the law, and its coming into force. For instance, the European Union granted a transition period of 2 years before enforcing the Global Data Protection Regulation in 2018, hailed to be the ‘toughest’ privacy and security law in the world. It is worth noting that even this 2-year period was considered to be insufficient – with a Deloitte study finding that only 35% of organizations surveyed were fully compliant with the GDPR by July, 2018.
Similarly, Singapore implemented amendments to the Personal Data Protection Act, 2012 in a staggered manner over the course of 2021 and 2022, where hefty penalties came into effect only after industry was given due time to comply with the provisions. This approach was also followed in the United States, where the California Privacy Rights Act, a consumer privacy act which amended the existing California Consumer Privacy Act, was adopted on 03 November 2020 – but only came into effect on 01 January, 2023. Separately, in terms of developing economies, the Brazilian data protection law was approved in August 2018 and came into effect in a staggered manner, with obligations coming into force on September 18, 2020, and penalties only becoming enforceable on 01 August, 2021; Indonesia passed their data protection law in October 2022, but fines for violations will not be imposed until October 2024; and Thailand passed its data protection law on 27 May 2019, which only became fully effective on 01 June 2022.
Need for extended timelines in India
As a developing nation, we believe that India should provide adequate time to regulated entities to comply with the new data protection regime. This is even more pertinent considering the drastic leap such entities would be making – from the archaic Information Technology (Reasonable security practices and procedures and sensitive personal data or information) Rules, 2011 (SPDI Rules, 2011) to a novel and sophisticated framework. Stakeholders have reportedly sought an extended timeline of 18-24 months for implementing the law. Further, they have underlined the potential need to upgrade their technical architecture to demonstrate compliance with various provisions of the law, such as additional compliances of a significant data fiduciary and operationalizing the various rights of data principals.
An extended timeline will be beneficial for a holistic development of the digital ecosystem under the new data protection regime. First, it will ensure an effective implementation of the standards sought in the DPDP Act by differently sized organizations– from smaller firms who may be taking initial steps towards having data protection standards, to larger firms who may need due time to extend such standards to the entirety of their operations in India. Second, an extended timeline will ensure companies have sufficient time to understand all the specific compliances under the DPDP Act– aspects of which will only be clear once the subordinate legislations are issued. This may not be possible at the moment since the DPDP Act in its current form imposes standards couched in broad terms.
Third, an extended timeline would address the fundamental conflict in terms of regulating new technologies – i.e., tech-advancements will always outpace their regulation by ensuring organizations incorporate the basic principles that ensure data protection in their organizational practices. This is because providing a sufficient transition period may ensure effective implementation of key principles such as data minimization and purpose limitation. This would in turn build a solid foundation of data privacy practices in organizations, potentially ensuring adequate compliance with data protection principles in the face of newer technologies.
Fourth, providing the industry stakeholders with adequate time in this context would not only boost business certainty in the tech-sector, but also every inter-connected sector relying on the tech-sector. This bodes well for the economy as a whole. Lastly, the Central Government will be equipped with adequate time to effectuate a governance structure under the broad principles laid down under the DPDP Act. A well-executed data legislation in practice will aid the ease of doing business in India and promote foreign investments.
Any haste in formulating the governance mechanisms under the DPDP Act within a shorter transition period will lead to an ineffective legislation. Further, it will also leave complex operational nuances of the data privacy principles under the DPDP Act to be solely figured out by the relevant stakeholders. It is worth noting that a failure to provide an adequate transition period to administer privacy standards efficiently may further result in privacy and cyber security threats for the millions of digital citizens in India. With data leaks from government institutions taking the center stage in the recent past – such as those which risked the data of approx. eighty crore Indians – having an effective data protection regime becomes even more critical.
Therefore, it is essential to ensure a smooth transition to implementing the DPDP Act. At the outset, it is desirable to have a defined transitional period outlined. This may be done by way of an official circular to aid in business certainty. In addition, there should be a concerted focus on helping businesses, by issuing guidelines, establishing hotlines, or undertaking collaborative initiatives to train and educate personnel, as well as offer technology upgradation assistance. Further, the government may formulate and provide industry guidelines which aid in the understanding of requirements, both technical and qualitative – as well as operate channels where entities can clarify doubts on implementation of technical as well as qualitative provisions of the DPDP Act.
Conclusion
The implementation of the DPDP Act would constitute a seismic shift in the governance of data in the country. Providing adequate transition timelines is key in this process. Enabling entities to comply with the requirements under the new regime in a smooth manner would ensure a meaningful data protection framework, that is sound in letter and spirit. This would uplift data principals and protect their autonomy in an increasingly digitized world. Given that India is still a developing country in many aspects – it may consider a clearly defined and extended transition period based on constant dialogue with all stakeholders involved. This would ensure business certainty, boost the national economy, and provide a solid foundation for compliance with data protection principles which will extend to advanced and new technologies, as and when they evolve.
*Sohini Banerjee is Research Fellow with the Policy Research Group at Shardul Amarchand Mangaldas & Co. She focusses on the intersection between law and technology, with a keen interest in data protection and privacy.
**Anmol Bharuka is a Research Fellow with the Policy Research Group at Shardul Amarchand Mangaldas. Her research is focused on law and technology, on themes including privacy, digital markets and artificial intelligence.
The authors would like to thank Shahana Chatterji and Namrata Ramachandran for their inputs.
