The research paper aims to delve deep into the newly passed (DPDP), Act 2023 and analyse the provisions of the act while establishing a relation as to its effects on potential businesses and industries. The passing of this act has established a robust legislative framework as to Data protection and privacy on consumers and how entities must abide by the framework to ensure proper integrity and utilisation of the data. Data is a crucial source of information which entities require to make informed decisions and plans but a line must be drawn as to what extent and limit can data of consumers be utilised for their services. Data being an intrinsic feature of privacy holds a strong regard as to how individuals wish to share their data and is a sensitive area concerning confidentiality of a person. The research paper aims to address the act with regard to how data is collected and used between Data Principles and Data Fiduciaries along with challenges and problems faced by businesses which are required to comply by them.
Keywords-
Personal Data, Data Protection, Data Breach, Data principle, Data Processing
Introduction-
In India, up until the last decade there lacked a proper data protection framework with regards to protection of consumers data and their utilisation. When it came to Data protection, the Information Technology Act, 2000 was the main act concerning the use of electronic data be it either with storage or utilisation purposes. Data relates to personal information of an individual which is an intrinsic part of one’s Right to Privacy and cannot be misused in that regard. After all, with the increase of cyber attacks, data breaches , collection and processing of data; the DPDP Act, 2023 was passed to address the operational deficiency of the IT Act, 2000 and bring it with par as to modern data protection standards. As compared to the global standards of Data protection and privacy such as GDPR and APEC, India was in a dire need for a revamped set of Data Protection Regulations. After all, India being the second largest Country with a huge Userbase for various online services, it was only natural that millions of consumer’s personal data would be stored and utilised by Business entities for the purpose of their services. Businesses rely on database of their consumers to create plans and structures which would be implemented on their services based on the data collected. This could be worrisome since sensitive data of the consumers could potentially be leaked or misused which is what the said act was enacted aiming to achieve. From a business standpoint, the new act could be troublesome due to its stringent provisions and robust framework but in the long run could significantly protect one’s digital personal data and privacy.
Research Methodology-
This research paper is descriptive in nature taking material from secondary sources for the purpose of analysing corelation between the DPDP Act, 2023 and the potential impact it has on Businesses and industries. The sources collected to write this paper are from but not limited to Newspapers, Articles, Reports, Blogs etc.
Review of Literatures: –
Explaining through his Article, the author Naveen Malpani discusses about the role of Data Fiduciaries, some of their obligations and how this change affects the Data-sharing structure of individuals. The author has drawn parallels between some important provisions of the act and connected it in the form of recommendations to industries in terms of complying with them.
The Author of the article, discusses about the proper role given to Data Fiduciaries by the act, compliance mechanism and reasons why they are required to follow. Moreover, the author compares the new act with the current GDPR Regulations highlighting its empowerment of individual privacy and safety and the requirement of industries to adapt.
Overview of Data Protection in India: –
India lacked a comprehensive data protection framework to protect individual’s data from use by entities for the purpose of running their services. The IT Act, 2000 was the previous legislation governing the processing and collection of data in India, which was scrutinised due to its outdated framework in the age of digital revolution. To update the standards of Data security and processing, the DPDP Act, 2023 was passed to address the current issue and raise the bar of data regulation with that of global standards like that of other countries. Take for instance, GDPR regulations which govern EU Countries is the strongest data protection regulation currently emphasising on the following 7 principles- Lawfulness, Fairness, and Transparency; Purpose Limitation; Data Minimisation; Accuracy; Storage Limitations; Integrity and Confidentiality; and Accountability. Another such example is that of CBPR regulations which is Government back Data Agency system followed by 6 Countries namely- Australia, Canada, Japan, the Republic of Korea, Mexico, the Philippines, Singapore, Chinese Taipei, and the United States whereby companies can join to demonstrate compliance with internationally-recognized data privacy protections. With the growing importance of personal data, concerns of privacy being breached has been rising. After all privacy has gained substantial importance after a nine-judge bench in the case of Justice K.S. Puttaswamy & Anr. vs. Union of India held that Right to Privacy as enshrined under Article 21 of the Indian Constitution is a fundamental right further laying down a 3-fold test. This ruling finds applicability in all spheres particularly in strengthening data privacy domain in India while expanding the meaning of Article 21.
Significant Data Fiduciaries: –
With millions of services available to cater to the requirements of individuals, data is a vital source of information based on which the companies work on their operations. The personal data of the individuals or Data Principals as we call them could relate to children or disabled persons also who are represented by a legal guardian to provide consent for such services or any individual in particular as mentioned in clause 2(j). Before their personal data could be utilised, entities require their clear and explicit consent before being allowed to process or collect their individual data. Now that the Act has come into play, Companies or entities must abide by the regulations passed to avoid stringent penalties. As according to clause 2(i) the term refers to a person or a group of persons who determines how data is to be collected along with the means of their collection.
It could refer to persons, firms, entities, Companies, association of people etc who receive the set of data for processing for their services. At times certain entities could be classified as significant Data Fiduciaries on the basis of nature, scale, volume and how sensitive such data relates to for collection purpose. This classification of Significant Data Fiduciaries is done by the Central Government and can range from –
i)Large Corporations and Tech Companies: Various Companies such as Google, Facebook, Amazon, and other tech giants collect vast amounts of user data for various services they provide thereby making them prominent data fiduciaries.
ii)Healthcare Providers: Hospitals, clinics, pharmacies, and other health-related organisations actively process sensitive medical data, making them key data fiduciaries responsible for patient confidentiality and data collection.
iii)Financial Institutions: Banks, insurance companies, and fintech firms handle extensive financial data for monetary transactions which collects personal data of individuals for the same.
iv)Government Agencies: certain Government agencies/entities process citizen data for administrative purposes which are also considered as data fiduciaries under the DPDP Act, 2023.
Obligations of Entities: –
Certainly, after the passing of the act the entities or data fiduciaries as we call it are required to adopt these new regulations to prevent hefty penalties being imposed or even to continue their operations. Chapter II of the act namely sections 4 to 10 deal with the obligations of entities with reference to collection and processing of individual’s data. Let us delve into the important provisions pertaining to obligations to analyse the Business’s perspective:
- Personal Data Processing –
- As per Section 4, the so-called Data Fiduciaries are required to follow the regulations laid down and can only collect personal data of Data Principles with their consent or for lawful purposes with their explicit consent. This section lays down the above mentioned 2 grounds for purpose of processing sensitive data of individuals.
- Section 5 states that before requesting for consent from a data principal, the Data Fiduciary is required to give prior notice to the individual providing the manner of how personal data is to be processed. Besides this they are required to explain rights of a Data Fiduciary along with grievance mechanism for individual to complain to the board. Moreover, individuals should have access to notice or requests in any language of their choice as elaborated in the 8th schedule of the Constitution.
- Section 6 relates to consent which is given by Data Principal whereby it should be clear and unambiguous by giving a proper valid consent for the purpose of data processing. The data fiduciary must facilitate data principals in managing, reviewing, or withdrawing consent through an appointed consent manager, accountable to them and such consent for request must be made in a clear and understandable manner.
- Specific use obligations-
Section 7 of the Act states that the personal data of an individual can only be processed in situations whereby the individual voluntarily consents and provides such sensitive data for the purpose of processing such data to the Data Fiduciary. This can relate to a specific purpose before giving consent and can be utilised only for that specific purpose unless explicitly refused. However, there is an exception whereby such data can be collected in cases whereby question of sovereignty and integrity of the nation or security purposes, for immediate threat to life of any person, or for the purpose of medical treatment/Health services to persons affected by natural calamities, public disorder, outbreak of disease or any such dire situation.
- General Obligations-
Section 8 of the act lists out general obligations which are required to followed by Data Fiduciaries for processing such sensitive data. Clause (1) states that even if there was an agreement to the contrary with regards to data processing or duties/actions which were not carried out by Data Principles, it does not set aside the liability of Data Fiduciaries to carry out its duties in accordance with the provisions. Sections 8(6) and 8(7) deal with the obligation of Data Fiduciaries to adopt suitable technical and organisational measures along with the mandate of notifying the Data Protection Board and concerned individuals in case of any data breach. This is to ensure that Data Fiduciaries maintain security and compliance and to be vary while fending off potential Data breaches. Moreover, the act safeguards individual’s personal data even when they withdraw their consent for use of a particular service by requiring Data Fiduciaries to erase/ remove personal data once a Data Principal withdraws his/her consent or upon completing a specified purpose. Lastly , these Data Fiduciaries are required to publish contact details of Data Protection Officers (DPOs) who handle compliance with the act and handling the data procedures.
Impact on Businesses/ Industries-
- Consent Management-
Now that the DPDP Act,2023 has been passed , it changes the framework as to how consent works for the purpose of Data processing. Consent has been given more importance thereby increasing the confidence of individuals with regard to their use of sensitive data. Such sensitive data comes under Right to Privacy enshrined in Article 21 of the Indian Constitution and being a fundamental right, not following the protocols laid down could lead to data breach of millions of individuals. Due to this, entities are required to provide notices to its users asking for their clear and explicit consent before utilising the service to enable collection or processing of data. This goes a long way in maintaining transparency as to data processing mechanisms and authorised data use of individuals.
- Strict Data Handling Protocols-
The DPDP Act,2023 has enabled protocols which entities are required to abide by to prevent unauthorised use of sensitive data of individuals. The act emphasises on accuracy, minimisation and storage mechanism so that only the relevant and necessary information of individuals can be utilised for their services setting aside personal data not required for utilising such services. The storage of data also works with specific data shared by the Data Principals and such data can only be utilised for the purpose the entity informs prior to the collection and should be shared consensually by the individual willingly. Moreover, the act addresses the issue of entities holding onto data post withdrawal of consent by individuals for such service thereby requiring the entity to delete/remove such existing data once consent is withdrawn or even when the purpose of collection of such data is fulfilled.
- Enhanced Privacy Measures-
Data being sensitive in nature, was bound to be protected and safeguarded for the sake of individual’s integrity. It falls within the expansive meaning of Right to Privacy as enshrined in Article 21 of the Indian Constitution and this act has given more safety and security to the individuals to protect their data. Now individuals are empowered with their rights and can access, rectify or erase their data or even deny consent to Fiduciaries to process their data. Moreover, the act introduces ‘Consent Managers’ who act as a simple point of contact between a Data Fiduciary and Data Principal to provide, manage, review and withdraw consent on behalf of Data Principal.
- Mandatory Compliance and Obligations-
The act requires certain entities to appoint Data Protection Officers (DPOs) who will be in the position of managing compliance, data protection strategies, along with interactions between data protection authorities. These DPOs serve as important liaisons, responding to questions and issues raised by data principals, promoting openness, and maintaining the accuracy of data handling procedures. However, such Significant entities have additional responsibilities such as appointing Independent Auditors, conducting periodic data assessments and audits, and implementing comprehensive data protection measures.
- Cross-Border Data Transfer-
The scope of the act is not restricted to India since the provisions apply to Data Fiduciaries internationally as well. After this act has been passed, businesses must assess and adopt newer methods of data transfers across borders. Since businesses involved in processing data could carry operations abroad, they would still be required to follow the DPDP regulations on cross-border transfer. Moreover, the Central government is empowered to restrict such transfer of data through notifications with accordance with Sec. 3. So usually, if such data is transferred to a country with strict data protections mechanisms and regulations, there is a higher chance of cross-border data transfer to be allowed for the protection of individual data.
Suggestions: –
With the DPDP Act, 2023 finally in place it is time businesses change their strategies and adopt mechanisms which work around the current regulations. Though the act forces entities to rework their data processing mechanisms causing serious rewiring of their structures, it is time to uphold the ideal behind the law i.e- promoting a comprehensive legislative framework thereby protecting individual’s data. Businesses should conduct periodic data audits and Data protection assessments from time to time to uphold the standard of data process for their concerned service. Such entities can also appoint an independent auditor to safeguard the procedures and overlook compliance while keeping in mind the interests of Data Principals. A Proper recommendation for data fiduciaries would be to change their privacy agreement along with terms of service making sure they provide notice of such data processing along with optional accessible languages for the individual to receive such notice and explaining the rights of Data Principals to empower them. Moreover, it would be better for entities to dedicate a team relating to Data security who could look into and analyse potential grey areas to prevent any data leakage of the individuals for safety purposes. For upcoming entities, they should upgrade their security, storage, controls to be at par with the new regulations. Though businesses are required to comply with the provisions, following them and upholding the regulations would benefit them in the long run by raising the confidence of individuals with regards to data processing thus raising their trust factor. Besides this, it could attract potential investments due to the increase in goodwill of the entity for upholding data security standards. For a huge Country like India, with millions of users it is only natural that a robust data protection framework is needed with consequences of non-compliance resulting in penalties upto Rs.250 Crore.
Conclusion: –
In this new era of Digital evolution, where plethora of services are available to individuals for personal use, data plays a vital role in running the digital landscape. Data being the new currency is an essential part of one’s identity and is utilised to run the services of entities with the use of such pivotal information. India lacked a compact data protection mechanism to protect individual’s data from being processed by entities inspite of the IT Act,2000 governing data security. Taking international standards of data protection along with urgent need of a better data security mechanism finally led to passing of the DPDP Act, 2023. Though the act requires entities to raise their data processing schemes and mechanisms, it is an encouraging move to promote a robust data security mechanism in India to prevent misuse of individuals’ data and increasing security. With the rapid rise of Digital Technology, there exists a possibility for dangerous breaches or leakage of private data due to which stringent provisions were required to be implemented to be up to date with regards to Data security. Nevertheless, Businesses and Industries are required to abide by the new updated standards of Data protection for the better or would have to pay heavily for punishments as a consequence of such non-compliance.
Shaan Vellanki,
Symbiosis Law School, Nagpur