India marches towards a new era respectful of personal privacy while balancing business requirements. This article explores what organizations should do in the meantime while the new data protection law is fleshed out and rules are framed for its detailed implementation.
As the Upper House of the Indian Parliament passed the Digital Personal Data Protection Bill, 2023 (DPDP), the decks have effectively been cleared for India to introduce its own data protection law in the near future. Despite fast-approaching elections, the current dispensation is in no mood to slow down and continues to ring in formative changes – no more significant that country’s own data protection law, the DPDP.
There is a school of thought that there is still time before the DPDP is implemented especially since all the detailing is still required to be prescribed under the rules. However, the DPDP does bring about some serious changes and organizations need to think fast and adapt faster so that they ready in time to embrace the new paradigm without losing their ability to continue to process their databases.
Why do it now – there is enough time.
No, there isn’t.
There are several reasons why we conclude so. For the longest time, organizations in India have built their privacy policies and data processing habits based on consent of the data subjects. Take consent and do whatever you want. This is supplemented by some clever and broad consent language that allowed for a lot of flexibility and tremendous opportunity to monetize processed data. Even the consequences of non-compliance were primarily compensation as damages, which is quite an uphill task for a private individual to demonstrate.
Presently, the data protection architecture including policies, processing activities and risk appetite, is primarily driven by the above considerations. This will not be true any longer as the DPDP changes gears for India as it attempts to reshape the contours of privacy, shoulder-to-shoulder with the modern world.
Reassess your ability to hold & process personal data
Any organization that has tasted success in India would potentially have large treasure trove of personal data, which they would have collected over the last decade or so. Likely, such consent is broad / catch-all / all-encompassing which allows the data fiduciary to do as it pleases. This will not be good enough anymore and is better understood in context of certain core tenets of DPDP.
The proposed law prohibits any kind of processing of personal data unless it is in compliance with the DPDP. Therefore, organizations would be required to demonstrate how their data collection and processing activities are consistent with DPDP; failing which they will not be permitted to process personal data.
Purpose Limitation, Data Minimization & Validity of Existing Consent– The DPDP mandates for the consent for processing personal data to be free, specific, informed, unconditional, unambiguous, only for a specific purpose and limited to such data that that is necessary for such purpose. This is a huge development and well-illustrated within the DPDP itself by means of an example – i.e., a telemedicine application cannot seek consent for accessing the data principal’s mobile phone contact list. The DPDP goes on further to expressly invalidate such consent.
Therefore, it seems that even if a data fiduciary processes personal data on the basis of broad / catch-all consent language, such consent may not be valid anymore and may be read-down to include only those data elements, which can be considered necessary for the specified purpose for which the data principal provided consent. Interestingly, the DPDP also seems to have grandfathered consents, which have been obtained before its enactment, provided the data fiduciary notifies the data principal of how their data was previously processed, and provides an opportunity to the data principal to withdraw their consent. However, it remains to be seen to what extent the Data Protection Board (DPB) blesses such consents obtained prior to the enactment of the DPDP, especially consents which were broad / catch-all / all-encompassing when the same is not permitted under DPDP. This in turn could jeopardize the ability of data fiduciaries to continue to hold and process such data.
What happens in cases involving multiple data fiduciaries? – There could be a third scenario where data fiduciaries have received personal data of a data principal from another data fiduciary, who in turn would have received the same directly from the data principal. Such first-mentioned data fiduciary entities are separated from and do not directly engage with data principals. The DPDP almost compels them to re-evaluate and look at their contractual arrangements afresh to determine, whether or not, appropriate, specific and purpose-oriented consent has been obtained.
This could be a particularly difficult exercise for such down-the-line data fiduciaries, who do not have any direct engagement with the data principal and are dependent upon the upstream data fiduciary to obtain consent for them. This could drive a big gap between the commercial reality of back-to-back contractual arrangements versus the consent requirements contained in the DPDP.
For reasons, including those discussed above, data fiduciaries may need to start assessing the quality of consent basis which they are processing personal data of data principals. If there is a gap, they need to take steps – now; else they run the risk of their existing consent being read down and considered inadequate under DPDP with no time left when the new law actually comes into effect.
System Architecture & Sophistication
The DPDP seems to introduce quite a few new and novel requirements; which can be complied with only if systems implemented by data fiduciaries are sophisticated enough to enable such functionality.
For instance, consent of the data principal is required to provide “affirmative consent” in addition to being able to demonstrate that proper notice was given to the data principal and consent was obtained in compliance with the DPDP. Therefore, such record of notice and consent would have to be maintained.
Every request for consent has to be made available in multiple languages and the data fiduciary systems need to be capable of allowing for withdrawal of consent as well. Once the consent is withdrawn, the data fiduciaries and their data processors need to cease processing the personal data within reasonable time. This is yet another functionality that may need to be enabled so that the data fiduciary may comply with its obligations under DPDP. In yet another requirement of system architecture, the data principal should have the ability to give, manage, review and withdraw his/her consent. With respect to children and persons with disability, “verifiable” consent of the parent / lawful guardian has to be obtained.
As on date, any data breach is required to be reported to the CERT-In under the Information Technology (The Indian Computer Emergency Response Team and Manner of Performing Functions and Duties) Rules, 2013 and directions issued by CERT-In in April 2022 (CERT-In Rules & Directions).
CERT-In Rules and Directions currently, do not mandate any notification requirement vis-à-vis the data principal. This is set to change under the DPDP; which requires each data principal to be informed in the event of a personal data breach. While this appears to be a new requirement under Indian law, some other countries have already implemented such notification requirements. Hence, this approach under DPDP seems consistent with certain international practices, although they would increase the compliance burden on data fiduciaries.
These are all new practices and system requirements that are demands of DPDP and organizations in India need to gear up in the meantime to effectively comply with the same. While it seems that a lot of detailing will be contained in the rules, the DPDP already identifies many key areas in which the current data practices may be found wanting. Although the industry expects the government to allow for reasonable time to transition to the new law, the DPDP does not have any express provisions regarding any such transitory period.
So, when is the time to get your act together? The time is here. The time is now. Wake up Neo, the time is almost up!