We are living in a Digital Age. Whether we are shopping online or accessing our social media accounts, we are always leaving a footprint behind, that is, our digitized personal data. Such data is used by data analytics software for various purposes including to understand the user’s buying behavior and to provide us with product options, related feeds/stories, etc. However, such data use may not be limited to legitimate purposes only but can be used by fraudsters to commit identity theft as well. It is, therefore, pertinent to have a very strong data protection law. After five years of debate and deliberations, the Digital Personal Data and Protection Act, 2023 was finally published in the Official Gazette on August 11, 2023, after getting the President of India’s assent. However, the effective date of this legislation has yet to be announced by the Indian Government.
One of the key features of this new legislation is the requirement for Data Fiduciaries to obtain consent of the users/data principal to collect and process their personal data. Data fiduciaries can be any person who, alone or with other persons, determines the purpose and means of processing personal data. At the time of collection of such data, it is the responsibility of the Data Fiduciary to inform users of the purpose for the collection of their personal data and the rights of the users to correct, complete, update and/or erase their personal data as well as their rights to nominate an individual to exercise their rights under the Act in the event of death or incapacity of the user.
This requirement is not only limited to future users but also past users from whom Data Fiduciaries would have collected personal data. Also, in the event a question arises in a proceeding with respect to the processing of personal data for which the consent was taken, the Data Fiduciary will need to prove that a notice was given by them to the user and consent was given by such user to the Data Fiduciary as per the requirements of this Act. Data fiduciaries will also need to ensure that in the event any user requests removal of their personal data, such request is honored and their data is removed from the system of the Data Fiduciary.
Looking at the quantum of data that is collected by Data Fiduciaries, this legal requirement may become quite onerous and cumbersome for the Data Fiduciaries as they need to have the requisite infrastructure and the personnel to ensure that this legal requirement is met. Non-compliance of these provisions may result in an entity paying a huge penalty, which may extend to Rs500 million (US$6.01 million).
While examining the provisions with respect to obtaining consent of the users, it is essential to evaluate whether an entity can proceed to process the personal data of a user even though no consent has been obtained from the user. The Act allows Data Fiduciaries to do so provided such processing is for “certain legitimate uses”. However, the Act is silent on what constitutes “certain legitimate uses”. It is essential for the legislature to clarify what constitutes “certain legitimate uses”, otherwise the same will become the subject matter of litigation as different entities will have different parameters for determining what constitutes a legitimate use. For example, in the UK, the following tests are considered for determining whether a use can be construed as a “legitimate” use. These tests are:
- Purpose test: This test evaluates whether the purpose of processing the personal data is for a legitimate interest.
- Necessity test: This test evaluates whether such processing is necessary or not.
- Balancing test: Does such legitimate interest rule over the user’s fundamental rights and freedom under law?
Hence, if a larger public interest (such as fraud detection, cyber security, etc.) is involved, then it may clearly outweigh the interest of an individual user.
The Act also empowers the central government to notify a Data Fiduciary or a class of Data Fiduciaries as a “significant Data Fiduciary”. The central government will consider factors such as volume and sensitivity of data processed by them, risks to the rights of a user, risks to electoral democracy, security of State, public order while notifying an entity as a significant Data Fiduciary. Such significant Data Fiduciary will need to adhere to additional compliances prescribed under the Act such as appointment of a data protection officer, appointment of an independent data auditor, periodic audits, periodic data protection impact assessments, etc.
The foregoing are some of the key aspects of the new legislation. The Act is definitely a welcome move by the Indian government as if it is effectively implemented it will go a long way to the protection of our digitized personal data. It will be interesting to see how this law will evolve over the next few years.
Effective implementation will also help to build and strengthen the trust between the entities and the users and this will ultimately result in increasing the credibility of such entities. Entities will therefore need to:
- Have qualified and experienced consent managers who would ensure that the requirements of the Act regarding user consent is adequately complied with,
- Reassess contracts with third parties with respect to data processing in view of the liabilities of Data Fiduciaries under the new Act,
- Have robust security systems to prevent data breaches,
- Have data registers to depict that notices were issued and consent was taken from users,
- Have effective grievance redressal mechanisms in place,
- Reassess internal policies which govern the transmission of personal data between internal functional departments/teams,
- Set up mechanisms for identifying and notifying data breaches to the Data Protection Board and to the user, and
- Review their data privacy policies to ensure compliance with the requirements of the new legislation.
While the Act is yet to be notified, it is prudent for all entities to examine their existing data collection and processing practices and identify the areas of improvement. This is also critical, as the Act imposes huge penalties, which may extend to Rs2.5 billion (US$30.1 million), specifically in cases where the Data Fiduciary fails to fulfil its obligations to take reasonable security safeguards to prevent personal data breaches.