Please wait while the page is loading...

loader

Get Set Go – Is India ready for the implementation of new data privacy legislation?

30 November 2023

Get Set Go – Is India ready for the implementation of new data privacy legislation?

We are living in a Digital Age. Whether we are shopping online or accessing our social media accounts, we are always leaving a footprint behind, that is, our digitized personal data. Such data is used by data analytics software for various purposes including to understand the user’s buying behavior and to provide us with product options, related feeds/stories, etc. However, such data use may not be limited to legitimate purposes only but can be used by fraudsters to commit identity theft as well. It is, therefore, pertinent to have a very strong data protection law. After five years of debate and deliberations, the Digital Personal Data and Protection Act, 2023 was finally published in the Official Gazette on August 11, 2023, after getting the President of India’s assent. However, the effective date of this legislation has yet to be announced by the Indian Government.

One of the key features of this new legislation is the requirement for Data Fiduciaries to obtain consent of the users/data principal to collect and process their personal data. Data fiduciaries can be any person who, alone or with other persons, determines the purpose and means of processing personal data. At the time of collection of such data, it is the responsibility of the Data Fiduciary to inform users of the purpose for the collection of their personal data and the rights of the users to correct, complete, update and/or erase their personal data as well as their rights to nominate an individual to exercise their rights under the Act in the event of death or incapacity of the user.

This requirement is not only limited to future users but also past users from whom Data Fiduciaries would have collected personal data. Also, in the event a question arises in a proceeding with respect to the processing of personal data for which the consent was taken, the Data Fiduciary will need to prove that a notice was given by them to the user and consent was given by such user to the Data Fiduciary as per the requirements of this Act. Data fiduciaries will also need to ensure that in the event any user requests removal of their personal data, such request is honored and their data is removed from the system of the Data Fiduciary. 

Looking at the quantum of data that is collected by Data Fiduciaries, this legal requirement may become quite onerous and cumbersome for the Data Fiduciaries as they need to have the requisite infrastructure and the personnel to ensure that this legal requirement is met. Non-compliance of these provisions may result in an entity paying a huge penalty, which may extend to Rs500 million (US$6.01 million).

While examining the provisions with respect to obtaining consent of the users, it is essential to evaluate whether an entity can proceed to process the personal data of a user even though no consent has been obtained from the user. The Act allows Data Fiduciaries to do so provided such processing is for “certain legitimate uses”. However, the Act is silent on what constitutes “certain legitimate uses”. It is essential for the legislature to clarify what constitutes “certain legitimate uses”, otherwise the same will become the subject matter of litigation as different entities will have different parameters for determining what constitutes a legitimate use. For example, in the UK, the following tests are considered for determining whether a use can be construed as a “legitimate” use. These tests are:

  • Purpose test: This test evaluates whether the purpose of processing the personal data is for a legitimate interest.
  • Necessity test: This test evaluates whether such processing is necessary or not.
  • Balancing test: Does such legitimate interest rule over the user’s fundamental rights and freedom under law?

Hence, if a larger public interest (such as fraud detection, cyber security, etc.) is involved, then it may clearly outweigh the interest of an individual user.

The Act also empowers the central government to notify a Data Fiduciary or a class of Data Fiduciaries as a “significant Data Fiduciary”. The central government will consider factors such as volume and sensitivity of data processed by them, risks to the rights of a user, risks to electoral democracy, security of State, public order while notifying an entity as a significant Data Fiduciary. Such significant Data Fiduciary will need to adhere to additional compliances prescribed under the Act such as appointment of a data protection officer, appointment of an independent data auditor, periodic audits, periodic data protection impact assessments, etc.

The foregoing are some of the key aspects of the new legislation. The Act is definitely a welcome move by the Indian government as if it is effectively implemented it will go a long way to the protection of our digitized personal data. It will be interesting to see how this law will evolve over the next few years.

Effective implementation will also help to build and strengthen the trust between the entities and the users and this will ultimately result in increasing the credibility of such entities. Entities will therefore need to:

  1. Have qualified and experienced consent managers who would ensure that the requirements of the Act regarding user consent is adequately complied with,
  2. Reassess contracts with third parties with respect to data processing in view of the liabilities of Data Fiduciaries under the new Act,
  3. Have robust security systems to prevent data breaches,
  4. Have data registers to depict that notices were issued and consent was taken from users,
  5. Have effective grievance redressal mechanisms in place,
  6. Reassess internal policies which govern the transmission of personal data between internal functional departments/teams,
  7. Set up mechanisms for identifying and notifying data breaches to the Data Protection Board and to the user, and
  8. Review their data privacy policies to ensure compliance with the requirements of the new legislation.

While the Act is yet to be notified, it is prudent for all entities to examine their existing data collection and processing practices and identify the areas of improvement. This is also critical, as the Act imposes huge penalties, which may extend to Rs2.5 billion (US$30.1 million), specifically in cases where the Data Fiduciary fails to fulfil its obligations to take reasonable security safeguards to prevent personal data breaches.


About the author

 Safir Anand

Safir Anand

 

Safir Anand is a senior partner and head of trademarks, commercial and contractual IP at Anand and Anand. He has more than 25 years of experience in providing input on strategy, business models, marketing and commercial insights, blended with an astute understanding of IP law that encompasses IP protection, IP enforcement, IP agreements, licensing, franchising, monetisation and due diligence. Anand has been widely recognized for providing input towards business model building, marketing and commercial insights blended with an astute understanding of the IP law. His focus to unleash the power of intangibles and nurture the untapped IP potential through specialized IP services earned him accolades and prestigious positions with national as well as global organizations.

 

 Ajai Garg

Ajai Garg

Ajai Garg leads Anand and Anand’s newly-formed digital group. He is an advisor and consultant on global trade, policy and compliance for digital technologies. He served as senior director at the Ministry of Electronics & Information Technology where he headed bilateral and multilateral relations and promoted startups and innovation. Most recently, he served as a consulting specialist at the Koan Advisory Group.

 Sushmita Ganguly

Sushmita Ganguly

Sushmita Ganguly is a managing associate at Anand and Anand’s Noida office where she is a part of the corporate team. She acts for clients from diverse sectors such as FMCG, pharma, software, food, banks, retail, education and more. She advises clients on varied matters involving the Companies Act, SEBI, foreign direct investment laws, labour and employment laws, data privacy regulations, legal metrology, food safety and contractual laws.

Law firms


Law firms