Until the early 2000s, in popular imagination, the greatest danger associated with putting one’s personal data on the internet was that it would attract unsolicited spam, predominantly from e-commerce companies. The high-profile data breaches seen over the last decade have dramatically revised our understanding of the risks associated with personal data. All this while, in the matter of personal data protection, India has skated on the thin ice of a set of eight clauses notified in 2011 under the Information Technology Act, 2000 called the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011 (SPDI Rules). Naturally, there is considerable excitement around the prospect of the Digital Personal Data Protection Bill, 2023 (DPDPB 2023) becoming law. Here, we go over the important obligations of data fiduciaries under the DPDPB 2023.
Much has been written about the previous ‘avatars’ of the DPDPB 2023 and the consultative process that it is a culmination of. Like its predecessors, the DPDPB 2023 continues to draw inspiration from the European Union’s General Data Protection Regulation (GDPR) and the principles embodied in it are a testament to this. The key principles finally reflected in the DPDPB 2023 include purpose limitation, data minimisation, accuracy, storage limitation, and accountability. Data fiduciaries should internalise these key principles in their policies on collection, storage, sharing and other processing of personal data. It is important to note that under the DPDPB 2023, the obligations on data fiduciaries, who are defined as the parties that determine the purpose and means of processing of personal data under the DPDP 2023, are more onerous than of data processors.
Read More+
The DPDPB 2023 prohibits processing of personal data for a purpose that neither constitutes a legitimate use nor has been consented to by the data principal. This makes it imperative that data fiduciaries who wish to process (“processing” means performing automated operations on digital personal data and, among others, includes collection, organisation, storage, use, sharing, and even erasure or destruction) existing personal data, notify data principals about the personal data they have, the purpose for which it has been processed, their right to withdraw consent to such processing, and the manner in which they can get their grievances redressed.
As in the case of the GDPR, there is no explicit obligation in the DPDPB 2023 on data fiduciaries to map out the personal data processed by them. However, data principals have rights under the DPDPB 2023 to obtain details and summaries of personal data processed, the processing activities done on such data, data fiduciaries and processors with whom personal data has been shared, and other yet-to-be prescribed details. These rights, coupled with other rights of data principals to get their personal data corrected, completed and updated, lead to an implied requirement on data fiduciaries to maintain exhaustive data maps and directories of personal data.
Providing notice, a request for consent and then obtaining consent (in English or any other specified Indian language) for processing personal data continues to be the centrepiece of the DPDPB 2023. The DPDPB 2023 requires notices to disclose details of the personal data to be processed, the purpose for which it will be processed, the manner of withdrawing consent and getting grievance redressal, and the manner in which complaints may be made to the Data Protection Board to be set up by the Central Government. Consent given by the data principal should be free, specific, informed, unconditional, unambiguous and provided through a clear affirmative action.
Under the DPDPB 2023, a data fiduciary may process personal data without data principal’s consent for certain ‘legitimate uses’ such as a use for which the latter has voluntarily provided their data, for employment-related purposes and safeguarding an employer from loss or liability, for meeting legal obligations, in connection with performance of State functions, and providing medical treatment or services.
If personal data to be processed is likely to be used to make a decision that affects the data principal or is likely to be disclosed to another data fiduciary, the primary data fiduciary is required to ensure completeness, accuracy, and consistency of such personal data. Further, the obligation to take reasonable security safeguards to prevent personal data breach continues to find a mention in the DPDPB 2023. There is no specific guidance in the DPDPB 2023 on what such safeguards are, but in the context of the SPDI Rules, these are understood as measures consistent with the IS/ISO/IEC 27001 standards.
Data fiduciaries involved in processing personal data of a child or a person with disability with a lawful guardian are required to obtain “verifiable consent” of the parent or guardian prior to processing. Data fiduciaries are barred from carrying out tracking, behavioural monitoring, targeted advertising directed at children and are also required to refrain from processing personal data in ways detrimental to the well-being of a child.
A data fiduciary will have to identify a person to respond to any communication by the data principal in relation to exercise of their rights. The Significant Data Fiduciaries, as will be notified by the Government, will have additional obligations of appointing a Data Protection Officer and also an independent Data Auditor in relation to the audit requirements that are applicable to them.
The prolonged absence of a comprehensive framework in India has meant that several businesses have become accustomed to processing large volumes of personal data with little or no safeguard. Spam calls and emails, unauthorised trading of phone numbers, identity theft, phishing attacks, and data breaches have become all too common. For those in two minds about how seriously they should start thinking about data protection, taking note of the hefty fines under the DPDPB 2023 might be a good place to start.
This article was originally published in The Economic Times on 21 August 2023 Co-written by: Hemant Krishna, Partner, Dhruv Khurana, Associate. Click here for original article
Read Less-
Contributed by: Hemant Krishna, Partner, Dhruv Khurana, Associate
Disclaimer
This is intended for general information purposes only. The views and opinions expressed in this article are those of the author/authors and does not necessarily reflect the views of the firm.
The Bar Council of India does not permit solicitation of work and advertising by legal practitioners and advocates. By accessing the Shardul Amarchand Mangaldas & Co. website (our website), the user acknowledges that:
Click here for important public notice from the Firm.