Are businesses ready for India’s new digital law?

30 November 2024

India’s Digital Personal Data Protection Act (DPDPA) introduces new business compliance requirements, affecting data collection, third-party contracts and cross-border transfers. Excel V. Dyquiangco highlights the importance of aligning IP strategies with the new law.

India’s first data privacy law, designed to prevent personal data breaches, has yet to be implemented because several provisions require additional rules. These rules, which will activate the Digital Personal Data Protection Act (DPDPA), are prepared and will be released for public consultation soon, according to sources familiar with the matter. Although Parliament passed the DPDP Bill a year ago, the law is still pending full enforcement.

The act includes specific protections for children and individuals with disabilities, among others. It defines a child as anyone under 18 and, under Section 9, requires verification and parental consent before processing minors’ data. With this first data privacy law, how ready are businesses in India?

According to Abhishek Tiwari, an IAPP Education Advisory Board member and a manager in the digital trust team at KPMG India in Bengaluru, India is ready with this first data privacy law.

However, he said that companies need to adhere to several changes with this new law.

Companies need to obtain consent from the data principal for the data obtained in the past, which they can choose to deny and may need to stop processing, potentially causing some of the processing to stop.
Companies need to revisit the contract they have with third parties and if they don’t seem to have adequate control for protecting the data, such third-party vendors need to be terminated, which might disrupt the processing until the time a new third party is identified, or issues are fixed.
Companies need to revisit where the data has been stored and how it is safeguarded, and if it doesn’t satisfy the act requirements, then it needs to be changed. Updates may cause some disruption.

Tiwari said that with this new law, companies complying with these regulations should take the following necessary steps:

Revise the privacy notice to reflect correct details about what data has been collected, how it is processed and how data principals can exercise their rights.
Conduct an awareness session on the topic to inform employees and vendors of the act and its requirements.
Revisit third-party contracts to make sure clauses related to data transfer, data disposal, data retention and data sharing have been addressed effectively.
Take stock of what data is being collected and for what purpose along with its location.
Revisit the Incident Management policy and link it with the Breach Management policy.
Communicate the revised policies and procedures to relevant stakeholders.

“India’s DPDPA only puts restrictions on transferring data to blacklist countries (yet to be notified), so the act doesn’t impact the data movement internationally. Moreover, it now enables companies to have controls and checks in place before the data is transferred, and third parties now can’t refuse to have them in place, as earlier in the absence of an act which has not been followed diligently,” Tiwari said. “In terms of data transfer internally (domestically), the DPDPA takes a horizontal approach where companies need to follow sector-specific guidelines for transfer.”

New compliance hurdles

Ankita Sabharwal, head of data privacy at Chadha & Chadha in Gurugram, said that by setting limits on data collection, processing standards and cross-border data flows, the DPDPA introduces new compliance hurdles that could impact the development and commercialization of data-driven innovations.

For example, Sabharwal said, AI models, which often rely on diverse and substantial datasets to improve accuracy, may face stricter constraints on data access and processing, potentially slowing down advancements and increasing the costs of compliance.

“By enforcing stringent rules on data collection, purpose specification and cross-border data sharing, the DPDPA introduces new compliance layers that could challenge how businesses access and leverage large datasets essential for developing advanced algorithms and software,” she said. “These requirements may limit data mobility and affect collaborative models, especially in cross-border projects, as businesses adapt to ensure compliance while safeguarding their IP assets. However, adherence to DPDPA standards could position companies favourably by aligning their operations with global privacy-conscious markets, making their IP more appealing and competitive internationally. As a result, companies may need to adapt their IP strategies to ensure that their innovations are developed and maintained within compliant, secure data ecosystems, ultimately creating a more sustainable model for data-driven IP development in India.”

She added that the DPDPA brings India closer to global data protection standards, creating a framework with potential alignment to regulations like the General Data Protection Regulation (GDPR).

“This could streamline compliance for multinational companies managing data-sharing agreements across borders, fostering trust in India as a secure hub for cross-border data transfers in intellectual property licensing,” she said. “However, restrictions on transfers to certain regions might require companies to reassess existing IP licensing terms, particularly where personal data is integral to the IP’s value. By encouraging specific use limitations, the DPDPA can prompt companies to build clearer data usage frameworks in their agreements, enhancing transparency and minimizing potential legal risks.”

Her colleague, Sharabh Shrivastava, a partner at the same firm, also echoed her sentiments.

“Compliance requirements such as data collection, processing and transfer norms may increase operational compliances,” he said. “This may have an effect on the creation of proprietary algorithms or software models that rely on extensive data inputs, especially when dealing with cross-border data transfers.”

He added: “However, these regulations also present an opportunity. They set standards for responsible data use, which can elevate the value of IP by ensuring that innovations are built on a foundation of legally compliant data practices. For IP owners, especially in AI and software, aligning IP protection strategies with data protection norms will be crucial to ensuring that their data-driven innovations are not only compliant but also competitively viable in a privacy- conscious market.”

Data collection and cross-border restrictions

On challenges, Tiwari said that with this new law may have issues with cost, infrastructure, resources and disruption. “Companies may find it difficult to evaluate the right technology needs to effectively manage some of the key requirements like consent management and breach management,” he said. “Companies may also need to look for alternative infrastructure or location as their current infra may not be equipped to satisfy the requirements laid down in act or may fall under a blacklist countries list.”

He continued: “Companies may find it challenging to either train resources with different skillsets or find resources with necessary skillsets to manage the day-to-day job. In addition, some companies may need to temporarily stop the business to first make themselves compliant with basic requirements as laid down in the act (only for those companies where no privacy practice exists).”

For her part, Sabharwal added that limits on data collection and purpose-specific use might hinder access to the large datasets crucial for IP-driven innovation across sectors like pharmaceuticals and financial services.

“Cross-border data transfer restrictions add another layer of complexity, particularly for multinational firms, impacting collaboration and resource-sharing across borders,” she said. “Furthermore, companies relying on third-party data processors must ensure these partners align with DPDPA standards without diluting control over proprietary assets. However, the focus on secure data practices could strengthen IP protection, fostering trust and reinforcing a company’s reputation in the competitive landscape.”

Shrivastava added that at the outset, obligations around data minimization, purpose limitation and cross-border transfer restrictions may conflict with the need for large datasets essential for IP-based innovations, particularly in AI and software development. “This may raise concerns about maintaining proprietary datasets while avoiding non-compliance risks under the data protection regime of India,” he said. “For companies that rely on third-party data processors, ensuring contractual alignment with the DPDPA while maintaining control over IP rights will be essential.”

“However, the enhanced need for security may, in fact, be beneficial for IP-driven businesses. Enhanced security mandates not only protect personal data but also reinforce the integrity of proprietary assets, building trust with clients and stakeholders. Aligning third-party agreements with the DPDPA ensures a legally robust framework that supports sustainable IP development. Embracing these standards can ultimately position businesses as leaders in responsible innovation within varied data-driven sectors,” he said.

Building a robust IP strategy

Shrivastava said that under the forthcoming data protection regulations, tech sector businesses must strategically integrate data governance into their intellectual property frameworks to ensure compliance and enhance value.

“A critical focus should be on adopting rigorous data collection practices aligned with the principles of data minimization and purpose limitation outlined in the DPDPA,” he said. “By restricting personal data collection to what is strictly necessary for their IP functionality, companies can significantly reduce compliance risks and bolster the integrity of their innovations.

He added: “Further, incorporating robust privacy and security measures throughout the IP lifecycle is essential. By embedding these safeguards from the outset, companies can protect sensitive data and maintain the integrity of their IP, aligning with regulatory mandates and building consumer trust. Furthermore, when working with third-party data processors or collaborators, it is crucial to include contractual clauses that mandate compliance with DPDPA standards. This proactive approach mitigates the risk of non-compliance that could jeopardize the security and value of IP assets. Moreover, businesses should focus on developing a comprehensive data governance framework that includes regular audits and assessments of data handling practices. This framework will not only ensure ongoing compliance with the DPDPA but also enhance the organization’s ability to respond to evolving regulatory requirements and emerging data privacy challenges. Lastly, a comprehensive data governance framework enhances IP resilience, fosters stakeholder trust, protects proprietary assets, and ensures adaptability in a dynamic regulatory landscape, ultimately supporting sustained innovation and growth.”