Digital Personal Data Protection Act, 2023 – Key Challenges
The much awaited enactment of Digital Personal Data Protection Act, 2023 is a welcome legislation, notwithstanding the above challenges, at a time when India’s economy is growing with tremendous pace and most of the developed nations already had a stringent data protection law; organizations are keenly awaiting the laying of the rules under the Act and the notification relating to the negative list of countries with whom cross border data sharing will not be allowed.
The world waited and waited for India to legislate its data privacy law and finally we all got the new data privacy law in the name of Digital Personal Data Protection Act, 2023 (“DPDP” or “Act”). Since its legislation, much have been talked about it in various forums, news articles and other platforms. Let’s take this opportunity to point out some of the challenges that DPDP has in its enactment.
The Act is all about digital personal data and section 2 (n) defines ‘digital personal data’ as personal data in digital form while section 2 (t) defines ‘personal data’ as any data about an individual who is identifiable by or in relation to such data.Neither of these two definitions can be appreciated unless the definition of ‘data’ is looked into which is captured in section 2 (h) which means a representation of information, facts, concepts, opinions or instructions in a manner suitable for communication, interpretation or processing by human beings or by automated means. This definition of ‘data’ is much compact and at the same time wider than the definition of ‘data’ as given in section 2(1)(o) of the Information Technology Act, 2000in terms of addition of the word “opinion” while removing the word “knowledge”. The concept of processing was inbuilt in the definition of ‘data’ in section 2(1)(o) of the Information Technology Act, 2000 while under the DPDP the concept of processing is at the heart of the enactment and is separately defined. A careful analysis of all the above three definition would easily indicate that practically everything which is related to an individual and which identifies an individual as such would get covered under the DPDP. Indeed 23 years is a long period whereby lot of technological changes have come necessitating a relook at the definition of ‘data’. While the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal data or Information Rules, 2011 (“SPDI Rules”) did help in identifying as to what would be covered under Sensitive personal data in terms of password, financial information, physical, physiological and mental health condition, sexual orientation, medical records, biometric information, the current definition of data / personal data under the DPDP leaves the corporate world wondering what is to be excluded. In view of the omission of section 43A of the Information Technology Act, 2000 under the DPDP, SPDI Rules, 2011 does not exist anymore.
One challenge posed by the DPDP is in terms of the right of a Data Principal under Section 11 to obtain from the Data Fiduciary the identities of all other Data Fiduciary and Data Processors with whom the personal data, as consented earlier by the Data Principal, has been shared by such Data Fiduciary, along with a description of the personal data so shared.
Another challenge that DPDP provides is in terms of obtaining the consent from data principal once again if such consent was already taken before the commencement of DPDP. Section 5 (2) provides – “Where a Data Principal has given her consent for the processing of her personal data before the commencement of this Act – (a) the Data Fiduciary shall, as soon, as it is reasonably practicable, give to the Data Principal a notice informing her – (i) the personal data and the purpose for which the same has been processed; (ii) the manner in which she may exercise her rights under sub-section (4) of section 6 and section 13; and (iii) the manner in which the Data Principal may make a complaint to the Board, in such manner and as may be prescribed”. Now, this poses a huge challenge to many industries / sectors which deals with large number of customer data like the hospital industry, travel industry, banks, financial institutions, e-commerce industries etc whereby consent was already obtained earlier but they will be required to re-obtain the consent within a time frame (to be notified once the rules comes into effect). Reaching out to such large number of data principals once again not only is a procedural hassle but an expensive affair requiring time, resources and checking of old records. Organisations will have to redo the whole exercise especially keeping in mind the high penalty provision under the DPDP. While the Act does provide some relief in terms of continued processing when it says that the Data Fiduciary may continue to process the personal data until and unless the Data Principal withdraws her consent. The Act could well have exempted the organisations from re-obtaining the consent if it was earlier obtained and the records are available. We just hope that the period to re-obtain the consent is well defined and kept longer in the DPDP rules,which is yet to be enacted, to avoid operational inconvenience to many industries.
An important challenge posed by the DPDP is the provision which makes it obligatory on the part of the Data Fiduciary to prove, in any proceeding, that a notice seeking consent was given by the Data Fiduciary to the Data Principal and that consent was duly given by such Data Principal to the Data Fiduciary in accordance with the provisions of this Act and the rules made thereunder. Accordingly, it becomes extremely critical for the Data Fiduciary to keep a record of the notice given indicating the specific purpose for which the consent is sought, obtain the consent from the Data Principal which should be free, specific, informed, unconditional, unambiguous with a clear affirmative action from the Data Principal signifying an agreement to the processing of her personal data and cases where the consent is subsequently withdrawn by the Data Principal. While the consent could be obtained indicating a number of purposes in one notice, it is important for the Data Fiduciary to process the personal data only and only for the specific purpose which is required as reflected in Section 6 (2) of DPDP which says – “Any part of consent referred in sub-section (1) which constitutes an infringement of the provisions of this Act or the rules made thereunder or any other law for the time being in force shall be invalid to the extent of such infringement”. The illustration given under Section 6(1) makes it amply clear that while consent may be given for a number of purposes, but the processing is to be limited to what is necessary to meet the specific purpose. It will not be out of place to reproduce the said illustration which is – “X, an individual, downloads Y, a telemedicine app. Y requests the consent of X for (i) the processing of her personal data for making available telemedicine services, and (ii) accessing her mobile phone contact list, and X signifies her consent to both. Since phone contact list is not necessary for making available telemedicine services, her consent shall be limited to the processing of her personal data for making available telemedicine services”. Gone are the days where personal data were collected by a specific industry for use relating to that industry, but the personal data were often sold in the market or used for purposes unconnected with the said industry.
A challenge is also posed in terms of the language to be used in the notice seeking consent. Practically, the Data Principal can demand the language in the notice to be the one which is there in the Eighth Schedule to the Indian Constitution. While Section 6(3) does talk about an option for Data Principal to access such request for notice in English language or any of the languages specified under Eighth Schedule to the Indian Constitution; Data Fiduciary will be required to give notice in English as well as 22 languages specified in the Eighth Schedule to the Indian Constitution. While the intent of the legislation in promoting regional language is laudable, the tricky piece will be evident when the minute details of the specific purposes are indicated in the notice and the response from Data Principal, including situations where such consent is withdrawn later, using any of the 22 languages embedded in the Eighth Schedule to the Indian Constitution. Proficiency of the Data Protection Officer or anybody else in charge of the data protection in terms of understanding each of these languages would be critical in any proceeding on the breach of personal data allegation either under the Grievance redressal mechanism internally set up within the organisation or dispute before the Data Protection Board.
The concept of “deemed consent” as was provided under the Draft Data Protection Bill is now replaced by the concept of “Legitimate uses” as provided under Section 7 of the DPDP. Liberty is given to Data Fiduciary, including State and State instrumentalities, to process the personal data if it is meant for legitimate use. The State and its instrumentalities can process the personal data of data principal if such processing is related to (a) providing of subsidy, benefit, service, certificate, license or permit, (b) sovereignty and integrity of India or security of state, (c) disclosure required under any law, (d) compliance with any judgement or decree or order, (e) responding to medical emergency, (f) medical treatment, (g) safety of any individual during any disaster or any breakdown of public order. Liberty is also given to Data Fiduciary to process the personal data if such processing is (I) for the purpose of employment or related to (II) safeguarding the employer from loss or liability such as prevention of corporate espionage, maintenance of confidentiality of trade secrets, intellectual property, classified information or provision of any service or benefit sought by a Data Principal who is an employee. The latter liberty is a welcome insertion as it gives a lot of flexibility and operational convenience to organisation but the challenge such insertion poses is in the form of a question whether organisation still need to – (i) give notice of consent to Data Principal, and (ii) obtain consent from Data Principal. While some view this liberty as an exemption from giving the notice and obtaining the consent, keeping in mind the foundational objective of the DPDP which is “consent” from an individual to protect her personal data from any unauthorised breach, it is advisable that the organisation still give notice of consent and accordingly obtain the consent from the data principal as there could be some specific purpose for which her personal data may be needed beyond the employment and other purposes indicated in Section 7(i) of DPDP.
Who is going to be notified as “Significant Data Fiduciary” (“SDF”) amongst the class of Data Fiduciaries is eagerly awaited and industries are anxious as to whether it will be categorised as such since DPDP provides for many additional obligations on the part of SDF. While the notification is still awaited, some of the indications given in the Act as to what parameters would be considered in categorising a Data Fiduciary as SDF are quite helpful. These parameters include – (a) the volume and sensitivity of personal data processed; (b) risk to the rights of Data Principal; (c) potential impact on the sovereignty and integrity of India; (d) risk to electoral democracy; (e) security of the State; and (f) public order.
One challenge posed by the DPDP is in terms of the right of a Data Principal under Section 11 to obtain from the Data Fiduciary the identities of all other Data Fiduciary and Data Processors with whom the personal data, as consented earlier by the Data Principal, has been shared by such Data Fiduciary, along with a description of the personal data so shared. Now, this could practically pose a lot of challenge for many organisation who have been dealing with large amount of personal data. In many cases, such records would not have been diligently maintained and it could pose complex challenges in responding to the Data Principal requirement of notifying the list of such other Data Fiduciaries and Data Processors with whom the first Data Fiduciary might have shared the personal data. Keeping a record and the entire chain of Data Fiduciaries and Data Processors with whom the personal data were / are being shared could well turn out to be a painful exercise. Organisation will be required to develop a strong compliance structure and tight processes to track the entire chain of sharing of personal data. The only exception provided to Data Fiduciary is if such personal data have been shared with any other Data Fiduciary who were / have been authorised by law to obtain such personal data relating to prevention or detection or investigation of offences or cyber incidents or for prosecution or punishment of offences.
The entire concept of a “Consent Manager” is a new concept which is not there in the GDPR provisions. It is defined to mean “a person registered with the Board, who acts as a single point of contact to enable a Data Principal to give, manage, review and withdraw her consent through an accessible, transparent and interoperable platform”. Introduction of a Consent Manager is indeed a progressive inclusion especially in today’s world of technological advancement. We are going to witness new arena of innovative technological tools clubbed with artificial intelligence to act as Consent Manager to manage the entire domain of consent relating to personal data. While the Consent Manager is appointed by a Data Fiduciary and is treated at par with the Data Fiduciary, the challenge lies in its accountability which is to the Data Principal. Data Fiduciary may also delegate the entire grievance redressal mechanism to the Consent Manager who shall respond to any grievances raised by the Data Principal in a time bound manner. Monitoring the working of the Consent Manager by the Data Fiduciary and laying down the governance guidelines by the Data Protection Board while granting registration will be key to the successful working of a Consent Manager under the DPDP.
In a country as populous as India where personal data, at times, have been negligently passed on or stored with no real deterrent, introduction of a regulator in the form of Data Protection Board (“DPB”) was a much-needed step. While DPB is to function as an independent body with tremendous power vested in them, the appointment of the Chairperson and other members will be by the Central Government. The independence of the DPB will be required to be seen in its working especially in areas where State and state instrumentalities have got a number of exemptions while dealing with and processing of the personal data. Amongst powers given to DPB, the power to direct the parties to resolve their disputes through mediation is again a welcome addition to reduce already burdened courts with litigation.
The quantum of penalty under the Schedule to the DPDP is alarming as it ranges from INR 10,000 to INR 250 crores. Practically every organisation and sectors which deals with personal data will be covered under the DPDP and the concern is not of large organisations which have the bandwidth and resources to devise a well-planned security system to prevent any unauthorised leakage of personal data; the challenge is more on the small and medium scale industries to establish a system of protection of personal data, regular monitoring of its usage and sharing and finally the redressal of the grievance of the Data Principal through a well-defined grievance redressal mechanism. Ofcourse, before levying the penalty by the DPB, various factors will be looked into by the DPB like (a) the nature, gravity and duration of the breach; (b) the type and nature of the personal data affected by the breach; (c) repetitive nature of the breach; (d) whether the person, as a result of the breach, has realised a gain or avoided any loss; (e) whether the person took any action to mitigate the effects and consequences of the breach, and the timeliness and effectiveness of such action; (f) whether the monetary penalty to be imposed is proportionate and effective, having regard to the need to secure observance of and deter breach of the provisions of this Act; and (g) the likely impact of the imposition of the monetary penalty on the person. The successful implementation of DPDP will largely depend on the working of the Data Protection Board.
The much awaited enactment of Digital Personal Data Protection Act, 2023 is a welcome legislation, notwithstanding the above challenges, at a time when India’s economy is growing with tremendous pace and most of the developed nations already had a stringent data protection law; organization are keenly awaiting the laying of the rules under the Act and the notification relating to the negative list of countries with whom cross boarder data sharing will not be allowed.
Disclaimer – The views expressed herein are purely personal and does not reflect the views of the organization that the author is working with.