Five issues to consider as the DPDPA turns two.
Privacy and Data Protection, E-commerce, Consumer Protection, Cybersecurity Karishma Sundara Privacy and Data Protection, E-commerce, Consumer Protection, Cybersecurity Karishma Sundara

Five issues to consider as the DPDPA turns two.

Yesterday marked the second anniversary of India’s (yet to be enforced) data protection law, the Digital Personal Data Protection Act, 2023 (fondly, the DPDPA).

In the months that followed its enactment, Indian tech lawyers dissected every inch of the new law. We analysed what its enforcement might mean for data fiduciaries and data subjects alike, identified risks and compliance gaps, and comforted ourselves with nuanced positions.

We were flooded with questions. Some were time-oriented: “How long will we have to implement the law?” Others were concerned about the DPDPA's scope: “Will this apply to me if I process personal data of foreign persons in India?” Yet others focused on how much would need to change in entities' compliance processes: “But, it’s just like the GDPR, isn’t it?” (No, friends, it isn’t.)

Two years on, here are 5 (of the many!) issues that have stayed with me several stakeholder meetings, and one set of draft rules later. I touch on 3P personal data woes, personalising content for children, the age (old) question, and more in this inaugural In Medias Res post.

Read More