India: Adapting to the Digital Personal Data Protection Act, 2023 - mapping trajectories of businesses
The absence of a comprehensive data protection law has affected India's progress towards becoming a global leader in business, technology, and outsourcing. The enactment of the Digital Personal Data Protection Act, 2023 (the Act), brings with it a promise of enabling the processing of personal data in a way that respects both individual rights and the legitimate needs of businesses to process data for lawful purposes. But what are the key implications businesses need to be aware of? Since the Act is yet to take effect and will likely be rolled out in phases, readiness to comply will be paramount.
In this Insight article, Harsh Walia, Partner at Khaitan & Co., explores the implications of the Act for businesses, offering guidance on how to navigate the new obligations. This proactive approach will not only ensure adherence to legal requirements but also cultivate a culture of responsible data practices in this digital age.
When does the Act come into effect?
First and foremost, the Act applies to personal data collected in a digital format, including cases where personal data is collected in non-digital format and subsequently digitized. However, there are instances where the Act will not be applicable. For instance, when personal data is processed by an individual for personal or domestic purposes, or when personal data is intentionally made publicly available either by the data principal (the individual to whom the personal data belongs) or as a result of a legal obligation imposed by another party. The term 'data principals' is defined in a manner resembling the 'data subjects' as outlined in the General Data Protection Regulation (GDPR).
Furthermore, the Act extends its applicability to entities incorporated outside India if such entities engage in the processing of personal data related to any activities associated with the offering of goods or services to data principals within India.
Evaluating the entity's role as a 'data fiduciary' or a 'data processor' and taking necessary measures
The Act provides a definition of 'data fiduciary,' similar to the concept of data controllers in the GDPR. A data fiduciary is an individual who, alone or in collaboration with others, determines the purpose and methods of processing personal data. Certain data fiduciaries or classes of data fiduciaries may be designated as 'significant data fiduciaries' by the Government. This designation will be based on factors such as the volume and sensitivity of personal data processed, risks to the rights of data principals, potential impact on India's sovereignty and integrity, threats to electoral democracy, national security, and public order. This classification is vital, as certain enhanced obligations have been prescribed for significant data fiduciaries under the Act.
On the other hand, 'data processor' is defined as an individual that processes personal data on behalf of a data fiduciary as defined in the Act. According to the Act, data fiduciaries can engage data processors through valid contracts. Notably, in contrast to several other regulations such as the GDPR, distinct obligations have not been carved out for data processors. In simpler terms, obligations for data processors are likely to be contractually flowed down by the data fiduciaries or the significant data fiduciaries, as applicable
Hence, it is imperative to conduct an assessment to determine the entity's role in the processing of personal data in order to define the obligations and measures for compliance under the Act. It will also be crucial to ensure the formalization of all engagements with data processors through appropriate agreements that explicitly outline the obligations and liabilities of both parties.
Cataloguing and mapping different types of personal data processed by entities
The Act offers protection to all types of personal data and does not classify it as 'sensitive' or any other special categories. Accordingly, it is important to ensure that the entity maintains a comprehensive record of the various types of personal data processed within each domain. This practice is essential to enable effective monitoring and management of data processing practices.
Moreover, this process will enable businesses to establish suitable justifications for data processing, implement tailored security safeguards, and formulate data retention policies for each category of personal data.
Establishing grounds for processing and identifying exemptions
Personal data can be processed based on lawful purposes, including consent or other prescribed legitimate reasons. In essence, entities might not require consent for processing personal data in specific circumstances, such as when the data principal has voluntarily provided personal data (without expressing non-consent) for specified purposes, fulfilling legal obligations, for compliance with judgments or decrees from judicial authorities, for responding to a medical emergency, or for employment-related objectives, subject to specified conditions.
Similarly, the provisions of the Act (except the requirement to have a valid contract with the data processor) shall not apply to entities in certain situations. For example, processing personal data may be deemed necessary for:
- enforcing any legal rights or claims;
- preventing, detecting, investigating, or prosecuting offenses or breaches of laws; or
- facilitating compromise, arrangements, amalgamations, or mergers of companies, among others.
In line with the existing legal framework, the Act will not apply either when the personal data pertains to data principals located beyond India's borders and is processed under a contract with a foreign entity.
Therefore, entities must closely assess the grounds for processing for each dataset they handle, so that appropriate exemptions can be availed.
Revisiting the privacy notices or policies and translation requirements
The new Act requires that when processing personal data is based on consent, data fiduciaries must provide a notice to data principals, either before or after obtaining consent. This notice should outline the types of personal data processed by the entity, the purpose for processing it, the methods through which data principals can exercise their rights, and the process for data principals to file complaints before the data protection board. Accordingly, businesses need to review and modify their privacy notices or policies to align with the requirements stated in the Act.
Furthermore, considering the linguistic diversity in India, the Act also mandates data fiduciaries to offer data principals the choice of accessing the notice's contents in either English or any language listed in the Eighth Schedule of the Constitution of India. Currently, 22 languages are prescribed under the Eighth Schedule of the Constitution of India. Therefore, it is essential for businesses to prepare translated versions of their privacy notices, ensuring their accessibility for sharing with data principals.
Additional compliances for children's data
In contrast to the earlier data protection law, which did not contain explicit provisions regarding the processing of children's personal data, the new Act introduces specific supplementary compliance requirements for the processing of personal data belonging to individuals under 18 years of age and those with disabilities. Data fiduciaries are required to ensure that processing such personal data does not adversely impact the well-being of the child and that this processing does not lead to tracking, behavioral monitoring, or targeted advertising aimed at children. Notably, certain exemptions from complying with these additional obligations may be granted in the future, contingent upon specified conditions as prescribed.
Businesses involved in processing personal data of children or individuals with disabilities, or those offering services to them, must ensure they progressively take measures to ensure that their processing activities are aligned with the stipulations outlined in the Act.
The way ahead
Undoubtedly, the new law introduces a more rigorous framework, marked by a strong emphasis on compliance and substantial penalties for non-compliance; however, it maintains a business-friendly approach. The Act's phased implementation provides companies with a strategic window to prepare for its requirements.
While the law has outlined general liabilities, further clarity on operational aspects is expected on several aspects in due course. These aspects include the means of furnishing notice, procedures for obtaining verifiable consent for processing personal data of children and individuals with disabilities, the timeframe for data fiduciaries to address data principals' grievances, and protocols for notifying personal data breaches, among others.
Therefore, it is crucial to recognize that this evolving regulatory landscape demands a proactive stance from companies to ensure timely compliance. The forthcoming journey of implementing and enforcing the Act promises to be intriguing, revealing how it effectively safeguards personal data while concurrently promoting business growth in India.
Harsh Walia Partner
Khaitan & Co., New Delhi
Supratim Chakraborty Partner
Khaitan & Co., Kolkata