In this episode of Industry Spotlight by Creative First, Gowree Gokhale, an Independent Legal Counsel and Advisor, and Lohita Sujith, Sr. Director, Copyright & Digital Economy, Motion Picture Association, delved into the nuances of the Digital Personal Data Protection Act.

Gowree started by explaining the key principles of the Act, emphasizing the individual’s central role, the importance of data protection rights such as erasure and withdrawal of consent, and the foundational concepts of purpose limitation and data minimization. She also highlighted the necessity for grievance redressal mechanisms to safeguard individuals’ concerns about how their data is collected, used, and retained. Gowree stressed that data fiduciaries must prioritize collecting only the minimum required data and ensure timely erasure once the data’s purpose has been fulfilled, fostering a more secure and transparent data ecosystem.

The conversation covered practical concerns surrounding the Digital Personal Data Protection Act. She raised the issue of how stringent data erasure requirements can disrupt customer outreach, with service providers losing the ability to reconnect with subscribers for potentially relevant services due to erased data. She also discussed the complexities of consent and targeted advertising in the context of children, addressing how parental consent works and how companies must tread carefully to protect children from harmful content while avoiding ethical and legal missteps. In this, Gowree highlighted international practices, noting that many countries have lower age at which children can give consent, which simplifies compliance.

The discussion transitioned to the limited role of the Data Protection Board in India, emphasizing that its current functions are restricted to adjudication, breach notifications, and consent manager registration, unlike international counterparts that provide regulatory guidance. Gowree underscored the challenges of relying on the Ministry of Electronics and Information Technology (MeitY) for industry-specific clarifications, given the Ministry’s expansive scope. Gowree called on industries to collaborate with MeitY to create sector-specific FAQs and guidance over the next few years to ensure a smoother implementation of the Act.

Gowree defined the concept of a “consent manager” who can be responsible for managing all aspects of consent for a data principle. She pointed out that there needs to be more clarity as to how a consent manager will work with fiduciaries. This led her to feel a bit of healthy scepticism towards the concept of “consent manager” in general.

The conversation then moved on to the feasibility of the deadline given for the Act. Gowree expressed doubts, specifically because each industry needs to be reviewed individually, and hoped for an extension.To wrap up the conversation, Gowree advised organizations to start working on compliance, in particular with data mapping, before the final rules are released.