“Jo main kehta hoon, woh main karta hoon, joh main nahi kehta, who main definitely karta hoon” (I do what I say, and definitely do what I don’t say) snarls Akshay Kumar in a potboiler, intended to confound his adversaries before beating them to a pulp. India’s Digital Data Protection Act (the Act) contains compliance language that too stands to confound corporates. The Bill passed by both houses of the Indian Parliament became law after Presidential consent on August 11. Here’s an attempt to look at the challenges that may be faced by Indian corporates in complying with his landmark law.
Use of consent
The very cornerstone of any global privacy legislation is the consent of the data subject (the individual whose personal information is collected and processed). Privacy principles require consent to be free, express and for the data subject to be aware of the purpose for which his/her data would be utilised. The Act accordingly requires consent to be “free, specific, informed, unconditional and unambiguous” and to be limited for the “specific purpose” for which it is collected. The Act requires the data fiduciary (entity collecting the data) to communicate the same through a notice to be provided to the data subject.
The Act, additionally allows for data to be utilised for “certain legitimate uses”. This term interestingly allows the data controller to utilise the data “for the specified purpose for which the data principal has voluntarily provided her personal data to the data fiduciary, and in respect of which she has not indicated to the data fiduciary that she does not consent to the use of her personal data”. The latter portion of this term leads to an overlapping conflict between the provisions of the consent clause (requiring informed usage) and that of legitimate use (allowing data to be used, where no refusal was specifically provided). Is the corporate required to ensure collection under specified consent notices or can it (to the detriment of the data subject) utilise the provisions of the legitimate use concept, and utilise the data, where the subject has not objected (which, admittedly could be a vast area)? It’s likely that this will confound the corporate much like the Bollywood dialogue mentioned above.
Cross-border transfer
If there’s a provision that has undergone a complete change since the earlier drafts of the Bill, then it has to be around “data localisation”. The earlier versions required data categorisation and restriction around cross-border transfer of certain data categories; the current version has done away with both these requirements. The government proposes to issue a “blacklist” declaring certain countries unfit for transfer, this may result in a scenario where multinational organisations operating in India and worldwide may have to restrict information about their Indian employees being shared with their counterparts in the “blacklisted” countries, leading to cost implications.
The Act also requires that other Acts, which prescribe a higher degree of protection and/or prohibit types of data from being transferred, will prevail over the provisions of this Act. Resulting in corporate compliance with cross-border restrictions such as those mandated by the Reserve Bank of India, it possibly will not be the smooth sailing that was expected in terms of cross-border data flow.
Data subject requests
A critical component of consent-based processing is the data principal’s (subject) right to be provided updated information about how their data is being processed. It’s critical that data subject comply with requests from the corporate (fiduciary) including, but not limited to asks, for authentication and identifiers to ensure a seamless response process. In the current Act, inserted is an innocuous provision which requires the data fiduciary to carry out its obligation irrespective of any act, omission or failure on the part of the data principal. Corporates will be constrained to carry out their duties notwithstanding any incorrect or lack of information on the part of the data subject.
Significant fiduciaries
The Act remains silent on data categorisation, unlike its older versions which used terms such as “sensitive” or “critical data”. However, in defining a “significant fiduciary”; a more scrutinised category of controller, the Act uses the term “sensitivity of data” to determine whether a controller will be categorised as “significant”. This undefined term will create confusion amongst corporates on whether they fall into this category and require additional safeguards in place.
Vikram Koppikar is privacy lead, South Asia for Kenvue. Views expressed are personal, and do not represent the stand of this publication.
Discover the latest Business News, Sensex, and Nifty updates. Obtain Personal Finance insights, tax queries, and expert opinions on Moneycontrol or download the Moneycontrol App to stay updated!
