Synopsis
The rising costs of meeting compliance is spooking many, with nearly 30% of respondents saying these new expenditures will be more than 10% of their turnover. They also fear business operations will be disrupted as routine tasks like security updates, marketing of new products, or spam protection, now require explicit consent.The new norms may also impact India’s push to develop sovereign AI models as more than 75% of firms training artificial intelligence or machine language models remain dependent on publicly available personal data for training their models, according to the survey by New Delhi-based technology policy think tank Esya Centre that covered 300 firms from tier 1 and 2 cities.
All publicly available personal data is exempted from the DPDP Act, but under strict conditions. Section 3(c)(ii) of the Act exempts data that has been made public by the individual it pertains to, or by a third party under a legal obligation.
Consequently, any entity seeking to use publicly available personal data must first verify that it meets these conditions.
While 80% of firms believe such verification will be challenging, the rest said it will be practically impossible, the survey showed.
As many as 46% of surveyed firms belonged to the IT, and IT-enabled services sectors.
Also, most of the businesses processing digital personal data are involved in the development and deployment of AI solutions.
The rising costs of meeting compliance is spooking many, with nearly 30% of respondents saying these new expenditures will be more than 10% of their turnover.
They also fear business operations will be disrupted as routine tasks like security updates, marketing of new products, or spam protection, now require explicit consent.
Several provisions of the DPDP Act kicked into effect when the rules were notified in November last year, while others will come into force in a graded manner over 12 to 18 months.
While the government has said the relatively long timelines under DPDP Act will help businesses catch up with the regulations and the necessary ecosystem to develop, the survey found that a majority of firms do not fully understand its implications for their products and services.
Section 7 of the Act lays down certain legitimate uses for which users’ digital personal data may be processed without obtaining their consent. But it omits grounds such as “legitimate interest” and “contractual necessity”, which are a staple across global data protection laws like the European Union's GDPR.
Crucially, 62% of firms are not aware of this key exclusion.
Globally, data protection laws require businesses to process personal data on the basis of a specified legal ground including compliance with a legal obligation, vital interests of the data subject or a third person, public interest, apart from contractual necessity and the legitimate interests of the business or a third party.
