August 14, 2023
1. Introduction
On August 11, 2023, India notified the Digital Personal Data Protection Act, 2023 (DPDP Act), paving the way for new digital personal data processing norms. DPDP Act primarily aims to provide statutory recognition to some aspects of informational privacy, while balancing the need to process personal data on lawful grounds.
With 44 provisions and a Schedule on penalties, DPDP Act does not have a sunrise provision and is likely to be implemented in a phased manner, through separate notifications in the Official Gazette. Upon implementation, Section 43A of the Information Technology Act[1] and its corresponding rules, the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Information) Rules, 2011 (SPDI Rules) will be omitted.[2] Other applicable data processing regulations including sectoral ones will continue to apply, provided they do not conflict with DPDP Act. It also provides for the creation of an independent regulator – the Data Protection Board of India (DPBI), which shall be responsible for implementation, inquiry, and adjudication under DPDP Act. Different provisions of DPDP Act are focused on time-tested fundamental principles of data processing, and detailing has been left to rule-making.
In this first post out of two, we analyze some of the key features under DPDP Act that businesses must pay closer attention to while gearing up internal practices for decoding and complying with the new law.
2. Who and what is covered under DPDP Act?
DPDP Act’s application is simplified. Subject to exemptions, DPDP Act applies to Data Fiduciaries[3] and Data Processors[4] processing digital personal data within, or outside India in certain situations. Key associated concepts and analysis are below:
- Digital personal data (PD) is any structured representation of information, facts, concepts, opinions, or instruction in digital form, about a natural person (Data Principal) who is identified or identifiable using such data. It will include PD that was collected in digital form, or non-digital sets that have been subsequently digitized. Since pseudonymized data can be combined with identifiers resulting in the identification of Data Principal, it will be PD and covered under DPDP Act. It is also deciphered that (i) PD kept in physical forms such as filing systems, (ii) anonymized data, and (iii) non-personal data are outside the purview.
Further, DPDP Act’s application is not dependent on whether PD is sensitive such as health, financial, biometric, etc., although it may be a relevant consideration for the classification of Data Fiduciaries and levying of penalties. As of date, SPDI Rules are focused on sensitive personal data processing, and thus, many organizations that do not deal with sensitive data continue to process PD flexibly depending on practical business needs. With the implementation of DPDP Act, any organization processing any PD will be required to understand and comply with DPDP Act.
- Processing refers to fully or partially “automated” operations performed on PD and will include the entire data processing lifecycle, from collection to destruction. Automated is defined as any digital processing of data that is capable of operating automatically in response to instructions given, or otherwise. So, semi-automated processing will be covered, and only non-automated processes are excluded.
- Territorial nexus: Where any person (natural or juristic) processes PD within India, they must comply with DPDP Act, irrespective of whether they are present or incorporated in India, or whether PD belongs to Data Principal in India or outside. For example, if a French company processes PD of Data Principals located in France but within India, DPDP Act will apply to such processing.
Where processing is outside India, DPDP Act will apply, only if such processing is for offering goods or services to Data Principals within the Indian territory. Extra-territorial application does not include processing done for the sole purpose of profiling individuals.
- Exemptions: DPDP Act states that it shall not apply to the following cases of PD processing (i) for personal or domestic purposes, and (ii) if PD is publicly available due to voluntary actions of Data Principal such as opinions on social media, or due to disclosures made under applicable law. Additionally, Central Government (CG) has the power to notify state instrumentalities that would be exempt from DPDP Act in the interest of certain protective grounds such as sovereignty, public order maintenance, etc.[5] CG also has the power to exempt different kinds of Data Fiduciaries from any provision of DPDP Act for 5 years from the commencement date.[6]
3. Consent as the primary basis of processing
Consent is the primary legal basis for PD processing. DPDP Act elaborates on what are the qualitative and technical attributes of valid consent. Qualitative aspects of consent – must be free, specific, informed, unconditional, and unambiguous. The technical aspect of consent – as a clear affirmative action by the Data Principal signifying agreement to PD processing for specified purpose.
DPDP Act does not elaborate on these and the question that arises is – what does this mean for businesses?
- Free is likely to mean free consent as understood under the Indian Contract Act, 1872 i.e., without any coercion, undue influence, fraud, misrepresentation, or mistake. Whether consent is free or not will be determined on facts, the burden of proof will be on Data Fiduciary, and here, it would be relevant to substantiate that all other consent requirements have been fulfilled.
- Specific brings in the principles of purpose limitation and data minimization. Consent should be for specified purposes i.e., the identified lawful purposes with clear scope. Alongside this, the consent sought should be limited to the processing of PD, which is necessary for such specified purpose.
For example, a telemedicine app obtains Data Principal’s consent to (i) process their health data for providing telemedicine services, and (ii) access their phone contact list. Data Principal gives consent to both, and subsequently, the service provider uses phone contact list for sending bulk marketing messages. Consent at (i) is specific and valid. Consent at (ii) is invalid, and the consequent processing will be unlawful, as there is no calling out of the lawful purpose, or the PD that is necessary for such purpose.
As it stands today, most consent languages are hosted generically, and susceptible to various use cases. A whole variety of data is collected in anticipation of future uses and repurposing. With the implementation of DPDP Act, such consent notices are likely to become invalid, and as an immediate step, businesses must start necessary internal data screening, review existing data inventory and segregation capabilities, and evaluate essential and non-essential business use cases. In essence, detailed data mapping is the need of the hour.
- Informed stems from the transparency principle and necessitates that Data Principal is made aware of PD processing. To this effect, Data Fiduciary would be required to provide a notice to Data Principal before, or at the time of seeking consent. This notice should inform the Data Principal about (i) PD that would be processed; (ii) the purpose for processing; (iii) manner in which they can exercise the right to withdraw consent (as discussed subsequently) and redress grievances; (iv) manner in which they can complain to DPBI; (v) contact details of Data Fiduciary’s authorized person acting as SPOC with Data Principal regarding their data rights.
The above is a fairly limited information flow as compared to what was contemplated in the earlier proposed drafts. Nonetheless, this brings the requirement of itemized consent notice, again emphasizing the need for businesses to know their controlled and possessed data pools, sources of collection, and use cases. The learnings then would need to be built into consent notices to satisfy DPDP Act’s expectations.
- Unconditional means that consent should not be made conditional for the supply of goods and services. A necessary corollary is the ability of the Data Principal to be able to withdraw consent. Data Fiduciaries are obligated to implement easy withdrawal mechanisms. Where consent is withdrawn, processing undertaken beforehand is not rendered invalid. However, after withdrawal, Data Fiduciaries must, and cause their Data Processors to cease processing, unless processing is permitted or required under DPDP Act, or any other law.
For example, let us take the case of a Data Principal who has consented to the processing of PD on an e-commerce platform for purchasing goods, makes payment for a particular order, after which they withdraw consent. The e-commerce platform must cease processing PD but can continue to process PD for completing the placed order.
In an indirect fashion, this would need policies and processes to have selective PD retention strategies and evaluate the need for using privacy enhancement tools (PETs), so that they can undertake mandatory processing activities after consent has been withdrawn, either under law or contract. Further, organizations must start augmenting or implementing consent management and consent preference architecture that would allow an individual to review, revise, and withdraw consents, and enable businesses to take quick actions where consent status changes.
- Unambiguous would require consent language to be clear and in plain language. Existing consent languages are catch-all and verbose. Such consent forms will be dilution of what is demanded in DPDP Act, and it would be imperative to start evaluating this old practice. Further, DPDP Act mandates Data Fiduciaries to provide consent mechanisms in English as well as other official languages in India.
- Clear affirmative action is indicative of express consent. It means that the Data Principal takes deliberate and specific action to opt-in, or agree to processing. The existing practice of deemed consent due to default settings, or opt-out mechanisms would not satisfy DPDP Act’s requirement.
The time for pre-ticked consent boxes is up! This technical aspect will nudge businesses to adapt to granular opt-in mechanisms (with clear banners and action items like swiping, clicks, or verbal recordings), move away from default settings, and start evaluating the need to upgrade consent collection and management processes.
Apart from the above, DPDP Act provides specific consent-related requirements for PD of children and persons with disability. It also recognizes consent flows through registered consent managers. DPDP Act also provides for certain legitimate use basis for the processing of PD. We would be delving into these aspects in our subsequent posts.
4. Data Processors and what is at stake?
DPDP Act comes with a bunch of obligations for Data Fiduciaries such as enabling Data Principal rights, implementing reasonable security measures, etc., breach of which may result in steep penalties. Further, the obligation to ensure that there is no data breach is also on the Data Fiduciary. But there is no specific obligation separately called out for Data Processors. DPDP Act states that a Data Fiduciary can engage Data Processor for different processing activities through a valid contract. It also requires Data Fiduciaries to be accountable for the actions and omissions of Data Processors. This approach is logical and aligned with global regulatory trends, given that Data Processors process PD on behalf of Data Fiduciaries. But, conducting detailed data and infosec diligence before onboarding, executing detailed data processing agreements, and periodic audits on the processor’s ecosystem would no longer be an optional recourse.
It would be imperative that Data Fiduciaries understand the managerial, technical, operational, and physical security measures used by the Data Processor. Data Processors will have to equally align with DPDP Act, as that would form the basic eligibility criteria, and quite naturally, the stipulations for Data Fiduciaries will flow down to Data Processors through contractual covenants. Alongside, it will be important for Data Processors to evaluate the adequacy and relevancy of existing processing lifecycle, deployed security technologies, breach notification and mitigation measures including business continuity plans, cyber and breach incident insurance coverages, the validity of existing standards and certifications, and most importantly, setting up a detailed communication strategy to set expectations and deliver on contractual mandates.
5. Conclusion:
While rules made under DPDP Act will contain details, the text as-is indicates the urgency for businesses to start understanding the essence of DPDP Act’s provisions to comb through prevalent processes and policies, and decide on the next steps. For many businesses such as those not processing sensitive personal data, it would mean dealing with a new set of legal requirements and hence, a longer gestation period to comply. Given that there is no identified sunrise period, it is about time that organizations start prepping. In our second post in the series, we would delve into Data Fiduciaries’ obligations, rights of Data Principals, cross-border transfers, and penalties.
[1] Section 43A requires bodies corporate processing sensitive personal information to implement and maintain reasonable security practices and procedures, and compensate where failure results in wrongful loss or gain to any person
[2] For this, Section 44 of DPDP Act dealing with amendments to other laws needs to be notified. It may also be the case that this is being notified in relation to certain businesses in the first-go, which will result in phased sunset for businesses
[3] Data Fiduciary is the person who determines the purpose and means of PD processing and akin to data controllers, and includes joint fiduciaries
[4] Data Processor is the person who processes PD on behalf of Data Fiduciary
[5] Section 17(2) of DPDP Act
[6] Section 17(5) of DPDP Act