DEMYSTIFYING THE COMPLIANCES UNDER INDIA’S NEWLY ENACTED PRIVACY LAW: THE DIGITAL PERSONAL DATA PROTECTION ACT, 2023

Bhubaneswar(28/02/2024/By Rohit Chakraborty):
Why is Data Protection the need of the hour? It isn’t uncommon for an unsuspecting Indian to receive a phone call from “their bank” where they are asked to disclose sensitive financial information such as ATM PIN, Transaction OTPs or Credit Card CVVs.

More often than not, the credibility of these “employees” are pretty convincing as they provide the victim with very particular personal details first, only to have them divulge sensitive personal data by the end of the call. In a separate yet more frightening scenario, a law-abiding and tax-paying citizen might someday randomly discover that there are several bank accounts in their name which they had no knowledge of. So how are the victims being targeted in these situations? The answer isn’t “crime” as much as it is “lack of regulation.” Certainly, most of us have heard about the data breaches that occurred at Air India, BigBasket, Domino’s India and of course, the infamous AADHAR Data Leak case.

Personal data of several million Indians were compromised and sold in each of these cases.

However, these breaches are not the only source that fuels such cybercriminal activities.

Due to the lack of a Data Protection framework so far, India has been a breeding ground for unscrupulous companies involved in illegal and unethical data sharing.

The absence of a comprehensive data protection regulation and its enforcement thereto has incentivized quite a lot of companies to sell or share customer personal data without consent, oftentimes with bad actors. To cure these evils existing in the Indian cyberspace, a robust data protection regulation was long overdue.

With the objective to regulate data sharing in the cyberspace, India recently enacted its first formulated law on protection of personal data.

In the digital era where personal data is slowly becoming equivalent to currency, the new law comes with an aim to strike a balance between individual privacy rights and the need for legitimate use of personal data. So how does this law affect the average Indian business or organization? Several compliances have been introduced through this legislation which shall apply on all businesses within India dealing with digitized personal data or non-digitized personal data that has been digitized subsequently.

The compliance requirements outlined in this act may be broadly classified under 6 major headings.

Depending upon the type of entity, the following may or shall apply. Privacy Notice-Consent Management Framework Responsibilities of a Data Fiduciary Of Children’s Personal Data Data Principal Rights Significant Data Fiduciary However, before moving ahead with the compliances, it is pertinent to understand the simplified definitions of a few key terminologies used within the act. Data Fiduciary: A person or group of persons deciding the purpose and means of collecting and processing certain personal data.

It is termed as “Data Controller” under the GDPR and most other privacy laws. Data Principal:An individual to whom the personal data relates.

It is equivalent to “Data Subject” as under the GDPR. Significant Data Fiduciary:Businesses or organizations processing huge amounts of personal data.

 The exact definition is yet to be notified. Now that we have a grasp over the important definitions, we may proceed to explain the several compliances laid down within this Act.

The checklist provided hereunder briefly illustrates the compliances in a nutshell. Compliances Explained Privacy Notice-A Privacy Notice (or Privacy Policy) is an intimation to be provided by the Data Fiduciary to the Data Principal, prior to collection of any Personal Data.

As per Section 5(1) of the Act, it is mandatory for a Data Fiduciary to serve a Privacy Notice which must include:The categories of Personal Data being processed and the purpose for such processing The Rights guaranteed to Data Principals under the Act Manner in which a complaint can be made to the Data Protection Board of India In the case of personal data already collected prior to the enactment of this Act (historical data), the law mandates refreshment of consent.

In other words, upon commencement of the act, the Data Fiduciary shall, as soon as reasonable practicable, serve a Privacy Notice to all Data Principals pertaining to the personal data already collected.

[Section 5(2)] Furthermore, the Data Principal shall have the option to choose their preferred language for the notice between English and any of the 22 languages mentioned under the Eighth Schedule of the Constitution of India.

[Section 5(3)] The Privacy Notice so served shall transparently explain the processing activities taken up by the Data Fiduciary in clear and pellucid terms.

As mandated under Section 6(1) of the Act, the acceptance of this notice shall only be considered legally valid when there is an affirmative action by the Data Principal in furtherance of such acceptance.

This means pre-marked checkboxes and notices without an option to reject shall not be considered valid. Additionally, the Privacy Notice shall also provide the name and contact details of the Data Protection Officer, or any other representative in charge of Data Protection. Consent Management Framework A novel feature that has been introduced by the Indian legislation which had never been witnessed before within any other Privacy Law in the world is the requirement of a Consent Management Framework.

The Act, under Section 6(7), mandates the appointment of a “Consent Manager” who shall be registered with the Data Protection Board, and is assigned the duty to overlook the consent management system within the organization. Responsibilities of a Data Fiduciary Certain technical and organizational responsibilities have been expected of all Data Fiduciaries within the legislation, as outlined hereunder: Agreements with Processors: Data Processing Agreements (or Contracts) are to be executed with all Data Processors.

[Section 8(2)] Technical and Organizational Safeguards: The Act particularly mandates the implementation of reasonable technical and organisational measures, as per industry standards.

[Section 8(4)] Security Safeguards: Data Fiduciaries are expected to employ reasonable security safeguards with the objective to prevent Data Breaches.

[Section 8(5)] Data Breach Response: In the case of a Data Breach, a notification (or Incident Report) is to be provided to the Data Protection Board within a reasonable timeframe.

[Section 8(6)] Storage & Purpose Limitation: The Act mandates the removal of data once the purpose for processing has already been fulfilled and there is no purpose for further storage.

Usage of data beyond the purpose for which it was initially collected is commonly known as “function creep” and the same is unlawful under the DPDP Act, as well as, almost every other privacy legislation in the world.

[Section 8(7)] Data Minimization: The Data Fiduciary is allowed to collect only as much data as it needs to perform particular processing activities in a lawful manner.

Sitting on excess and superfluous data is an offence under the Act. Appointment of DPO/Representative: The Data Fiduciary shall either appoint a Data Protection Officer (DPO) or a Representative to overlook the Data Protection practices of the organization.

The information of such person shall be clearly communicated.

[Section 8(9)] Establishment of Grievance Redressal Mechanism: The Act further mandates the establishment of a Grievance Redressal Mechanism within the Data Fiduciary’s digital ecosystem in order to handle grievances from Data Principals.

[Section 8(10)] Cross-Border Data Flows: The Indian legislation has taken up a “blacklisting approach” for the purpose of Trans-Border Data Flows, as opposed to the “whitelisting approach” employed by the GDPR and other notable Privacy Laws.

Thus, if a Data Fiduciary is sharing personal data with entities abroad, they shall be permitted to export such data to all jurisdictions, except the ones that have been blacklisted by the Indian Government. Of Children’s Personal Data The Act requires Data Fiduciaries engaged in the processing of children’s personal data to adhere to a few compliances.

The age of consent for the purpose of this Act is yet to be notified by the Government. In order to process the Personal Data belonging to children or persons with disability, a Data Fiduciary, under Section 9(1) of the Act, is required to obtain verifiable consent of the parent or lawful guardian respectively, prior to engaging in such processing.

One of the methods to comply to this clause may be the introduction of an age-verification system coupled with a system to obtain and verify parental consent. The Act prohibits the processing of personal data which is likely to cause harmful or detrimental effects to a child’s well-being.

[Section 9(2)] Tracking of children and targeted advertisements directed towards children are also prohibited under Section 9(3) of this Act. Data Principal Rights-The law upholds the digital rights of Data Principals and guarantees four major rights to all Data Principals within the territory of India.

Accordingly, the Data Fiduciaries are expected by the law to respect these rights and comply as and when required.

Neglecting the rights of Data Principals shall result into non-compliance and is a serious form of offence under the Act. The four major rights are explained in brief. RIGHT TO ACCESS [SECTION 11]: The Data Principals have been bestowed with the right to access their personal information held by a particular Data Fiduciary.

The Data Principal shall be entitled to a summary of the information relating to them, the names and details of Data Processors with whom their information has been shared, and a description of the data shared.

Additionally, the Government may further prescribe any other information that a Data Principal may be entitled to. The Data Fiduciary is expected to maintain a Data Map alongside a record of all processing activities (RoPA) to ascertain ease of locating personal data and comply with requests made under this section. RIGHT TO CORRECTION AND ERASURE [SECTION 12]:Under this section, the Data Principals are guaranteed with the right to: Correct inaccurate or misleading data Complete incomplete data Update personal data Erasure of data (Right to be Forgotten). RIGHT OF GRIEVANCE REDRESSAL [SECTION 13]: In order to ensure effective enforcement of this right, the Act has mandated the establishment of a Grievance Redressal Mechanism for each Data Fiduciary.

A request can thereby be made either to the Consent Manager or to the Data Fiduciary through the Grievance Redressal System. It is to be noted that this section must be exhausted by a Data Principal prior to approaching the Data Protection Board.

If and only if the resolution provided by the Data Fiduciary through its Grievance Redressal Model is insufficient or unacceptable, the Data Principal may make a complaint directly before the Data Protection Board of India. RIGHT TO NOMINATE [SECTION 14]:The Data Principal can nominate another person to exercise their rights in the case of their death or incapacity (unsoundness of mind or infirmity of the body). Significant Data Fiduciary- The Government may from time to time declare some Data Fiduciaries as Significant Data Fiduciaries (SDF) through notification, under the ambit of this Section 10(1).

While deciding whether a Data Fiduciary falls under this category or not, the following criteria shall be considered: The volume and sensitivity of personal data being processed; The risk associated to the rights of Data Principals due to such processing; The potential impact on the sovereignty and integrity of India; The risk to electoral democracy; The security of the State; Public Order ADDITIONAL COMPLIANCES FOR SIGNIFICANT DATA FIDUCIARIES: Mandatory appointment of Data Protection Officer: Significant Data Fiduciaries are mandatorily required to appoint a Data Protection Officer. The DPO shall: Be based in India; Represent the organization before the Data Protection Board; Be answerable to the Board of Directors or similar governing body of the Data Fiduciary; Act as a point of contract for Grievance Redressal Mechanism Appointment of Independent Data Auditor: The Significant Data Fiduciary must additionally appoint an independent data auditor to perform regular audits of the organizations’ data protection practices and operation security. Other compliances: Certain other compliances, as listed below, are also mandated by the Act under Section 10(2): The SDF is required to conduct periodic Data Protection Impact Assessments (DPIA). In additional to the DPIAs, the SDF shall carry out periodic Data Audits. Further measures may be notified by the Government in due course. Get Compliant Today! The Data Protection Regime in India is changing rapidly.

Even though most of the compliances have already been established through the Act itself, we can still easily expect the Government to notify further regulatory compliances through rules and by-laws.

Almost every business which has an online presence today is processing some amount of data on a regular basis.

Thus, regardless of their size and stature, they will be subjected to the compliances mentioned herein. ABOUT THE AUTHOR: Rohit Chakraborty is a Partner at Advoke Law.

An alumnus of the prestigious National Law Institute University, Bhopal, Rohit specializes in the areas of Data Protection, Intellectual Property Rights, eCommerce Laws and Consumer Protection.

With an experience of more than 3 years in the tech-law space, he has rendered his services to numerous Start-Ups and SMEs across multiple jurisdictions worldwide.