Year-in-review lists and data access rights
Come December each year, most apps are ready with stylised, vibrant, year-end reviews, mapping everything from the music and podcasts that filled your (y)ears to whom you spoke with frequently.
Most of us enjoy these lists because they may tell us something about ourselves (e.g., my step-count is abysmal; I need to spend more time running in 2026). These pithy year-end summaries could, however, shed some light on the bigger picture: what personal data can an individual access on request, and is responding to an access request as straightforward as it sounds?
Here’s a listicle that unpacks this in an Indian data protection law context.
Five (more) issues to consider as the DPDPA heads towards implementation
In August this year, India’s data protection law, the Digital Personal Data Protection Act, 2023 (fondly, the DPDPA) completed two years around the sun. I commemorated the anniversary with a list of 5 issues that had lingered despite the passage of time – questions without easy answers. There was a sense then that the draft rules, once finalised, might answer some of these (and other) questions.
Three months on, we have a chance to verify this. On 13 November, the DPDPA resurfaced, bringing with it the finalised Digital Personal Data Protection Rules, 2025 (now, also fondly, the DPDP Rules) and an 18-month implementation timeline. While this should wrap things up neatly in a bow by 13 May 2027 (which is when the law is supposed to fully take effect), several questions still remain. Questions that may be compounded by a shrinking – and now, likely to be compressed – implementation timeline.
Here are 5 more issues to consider as the DPDPA heads into implementation season.
Swiping right on grievance redressal.
Much has been written about the recently-released Swiped. Some critics liked the movie (due, in no small part, to Lily James’ performance), which is inspired by Whitney Wolfe Herd’s journey from co-founding Tinder through to reshaping online dating with Bumble. Others have suggested that the film can be one-note at the expense of fleshing out the complex issues at its heart and the underlying tech journey. (To be fair, asking a two-hour film to be everything to everyone is unrealistic.)
As a technology lawyer, watching an app or feature being built, shaped, or deployed in real life is always exciting (and watching it on screen comes close). More so for me, personally, when it’s a woman-led tech venture or story.
But this isn’t a post about women in tech (or tech law), or the cinematic ups and downs of the biopic itself (I’ll save that for another time). It’s about how an app built grievance redressal into its business model and product design, and why there's an important lesson in there for everyone.
Five issues to consider as the DPDPA turns two.
Yesterday marked the second anniversary of India’s (yet to be enforced) data protection law, the Digital Personal Data Protection Act, 2023 (fondly, the DPDPA).
In the months that followed its enactment, Indian tech lawyers dissected every inch of the new law. We analysed what its enforcement might mean for data fiduciaries and data subjects alike, identified risks and compliance gaps, and comforted ourselves with nuanced positions.
We were flooded with questions. Some were time-oriented: “How long will we have to implement the law?” Others were concerned about the DPDPA's scope: “Will this apply to me if I process personal data of foreign persons in India?” Yet others focused on how much would need to change in entities' compliance processes: “But, it’s just like the GDPR, isn’t it?” (No, friends, it isn’t.)
Two years on, here are 5 (of the many!) issues that have stayed with me several stakeholder meetings, and one set of draft rules later. I touch on 3P personal data woes, personalising content for children, the age (old) question, and more in this inaugural In Medias Res post.