The enactment of the Digital Personal Data Protection Act by Parliament recently marks a watershed moment in the way Indian businesses deal with personal data. Up to now, companies doing business outside India treaded the path of complying with foreign data privacy laws. Other Indian businesses mostly focused on having a privacy policy that was based on a boilerplate draft. This law is unique in the sense that it covers an area of law that largely did not exist in India till now.
How do Indian businesses go about this? To understand the law, some basic terminology first. There are three key actors in data privacy – the data fiduciary, who collects the personal data or on whose behest it is collected, the data principal, whose data is being collected and the data processor, who processes the data on behalf of the data fiduciary.
The first thing that a data fiduciary must do is to make a paradigm shift in its mindset towards dealing with personal data. Personal data needs to be dealt with carefully and managed through its entire life cycle of collection, storage and processing, and until it is finally deleted. This involves enabling systems that can manage personal data whether it relates to customers, service providers or employees or across different functions, whether relating to sales, HR or finance.
Next, data fiduciaries must work out what personal data it needs and for what purpose and must document that in a privacy policy. The description of the personal data being collected and the purposes for which it is used should not be vague and general but should be as granular as possible. The data fiduciary has to communicate this to the data principal in the form of a notice.
GDPR Influence
The business should in most cases obtain consent from the data principal to use the personal data and for the purpose mentioned in the notice. This consent must be “freely given”, “specific”, “informed”, “unconditional”, and an “unambiguous indication of consent” and through a “clear affirmative action”. This language is mostly borrowed from the General Data Protection Regulation (GDPR) in the European Union. The EU has developed substantial jurisprudence on what this means. For example, purposes must be mentioned with some granularity and generally, each purpose must be consented to separately. Further, where the user has no choice but to consent, especially for a purpose that is not necessary for the specific function for which the personal data is collected, this may not amount to free consent.
The law does allow other grounds for processing of personal data, that is, without obtaining consent, but they are fairly limited. One can process personal data when required to comply with a law or a court order. For example, a listed company need not obtain consent from a shareholder in order to collect personal data of a shareholder where such processing is in order to fulfil Securities and Exchange Board of India (SEBI) Know Your Client (KYC) requirements.
Gaps In Drafting
One can process personal data when provided voluntarily by a data principal if the data principal does not object to its use. The provision is not well drafted and not easy to understand. It appears to apply when the personal data is given on the initiative of the data principal or when it is given automatically, such as when a data principal goes to a pharmacy and provides her personal information in the course of purchasing medicine.
Under the new law, data principals can not only ask what personal data of theirs is being stored by the data fiduciary but have a right to ask for it to be corrected or updated. Further, an individual can also ask for personal data to be deleted when the purpose for which it was collected has been served. In addition, the data fiduciary would have to delete the data on its own once the purpose for collecting such personal data has been served. This would require a periodic review of the personal data being stored to determine whether the personal data is still required or to build automated processes to delete personal data.
Accordingly, there is a need to be extremely strict and disciplined when dealing with personal data. It must be stored in well-structured systems that ensure its proper management. In this regard, the law does give sanctity to the concept of a consent manager – a third party which will manage the consent process. These rights do not apply in some situations, especially when consent is not required.
The requirement of deletion could have a profound impact on big data where the data is not anonymised. Data-based decisions must be made after ensuring completeness, accuracy and consistency of the data. A key right in the EU, not to be subject to a decision based solely on automated processing has not been provided in this law. While the law requires that personal data be used only for purposes that are specified in the notice, the law is somewhat unclear about imposing a reasonableness or legitimacy standard for those purposes. Overall, the law appears to be reasonably friendly towards AI and big data.
A data fiduciary also has an obligation to apply reasonable security standards for safeguarding the personal data that it collects and processes. If it does not do so, it could face consequences under the law. The maximum penalty that can be imposed is Rs 250 crore! Further, if a data breach or even a vulnerability occurs, the data fiduciary needs to inform not just the regulator but the concerned data principal. A data fiduciary needs to be mindful of the reputational risk associated with being publicly known as having been the subject of a data breach.
Stricter Than GDPR
If you think this is all a tough ask, you should know that the law is simpler and less prescriptive than data privacy laws in many countries. This kind of simpler law is appropriate for a country like India for two reasons – one, because India is just starting down the road of data privacy compliance and two – because India has a huge SME sector that would struggle to comply with a more complex law.
At the same time, the law is stricter than GDPR in some ways; for example, in the EU, a business that can develop a case for it having a “legitimate interest” to process personal data can do so without consent. This is largely not possible in India. Further, in the EU, a data breach needs to be reported only to the regulator and individuals only where the data fiduciary concludes that the breach could result in a risk to the rights and freedoms of the individual.
The government has given itself the power to exempt classes of data fiduciaries from provisions of the law. This includes start-ups, which have been specifically mentioned. The definition of who constitutes a start-up will be notified separately. The government has announced that it intends to bring the law into force within 10 months. It is hoped that it would notify as soon as possible when the substantive provisions will come into force so industry has time to prepare with a target date in mind. It’s now time for every Indian business to begin that journey towards compliance with data privacy regulation.
Stephen Mathias is a partner, Technology Law Practice at Kochhar & Co. Views are personal, and do not represent the stand of this publication.
Discover the latest Business News, Sensex, and Nifty updates. Obtain Personal Finance insights, tax queries, and expert opinions on Moneycontrol or download the Moneycontrol App to stay updated!
