Data Protection Law: Focus On Accountability, Consent, But Offline Data Must Be Treated At Par

In an era marked by increasing digitization and data-driven technologies, India has taken a significant step towards safeguarding its citizens' digital privacy. The much-awaited Digital Personal Data Protection (DPDP) Act, put together by the Ministry of Electronics and Information Technology (MEITY) after extensive consultations with the public and industry during the draft stages, signifies a crucial development in protecting personal data and upholding individuals' rights in the digital age.

At its heart, this groundbreaking legislation aims to establish a higher level of accountability and responsibility for businesses operating within India and involved in the collection, storage, and processing of citizens’ data, via a robust consent-based data sharing mechanism. The act takes an approach similar to other international data protection laws such as the EU’s General Data Protection Regulation (GDPR) and extends its coverage to all entities who process personal data regardless of size or type of the entity. This piece focuses on what new data rights are assured to the consumer and what support the industry requires in this transition phase to implementation of the DPDP.

Citizens’ Rights

The DPDP act enshrines three key rights for individuals. In doing so, it gives individuals who share their personal data, referred to as the “data principals”, a great deal of control over how they share their personal data and how that shared data is used.

Consent Is King

For starters, explicit consent becomes the basis of collection and use of all digital personal data. This means any personal data can be included and processed by any entity, referred to as “data fiduciary”, only with explicit and informed consent of the individual. This means that the data fiduciaries have to prominently display a notice about the personal data being collected, the purpose for which it will be processed, the other entities with whom the data may be shared, as well as the provisions for retention, reuse, and erasure before or at the time the data principals are asked to give consent. This ensures that data principals have a comprehensive understanding of how their personal data is being used.

Correction & Erasure

Second, data principals also have the right to correction and erasure of their data. Any data fiduciary collecting or using the data is required to make provisions to allow the data principal to modify the data in case it is inaccurate, misleading, incomplete, or outdated, or scrub it entirely on the request of the data principal.

Grievance Redressal

Third, data principals have the right to grievance redressal. The DPDP act mandates clear rules for setting up grievance redressal officers and cells. If the data principal has any issues or concerns about how their personal data is being processed, they have the right to raise a grievance and the data fiduciary is obligated to respond to those grievances within a prescribed timeframe.

Industry Obligations

Together with these provisions, the act sets far reaching obligations and limitation on data fiduciaries processing any personal data in a digital format. While the Act rightly specifies the elements of compliance such as notice, consent, and rights of data principals and fiduciaries, it is important that the rules are not prescriptive in matters like how the notice is displayed or how consent is captured as those should be the purview of the UI/UX experience design of digital platforms.

Implementation Timelines

The industry awaits the notifications and rules on timeline to meet provisions of the Act. The data fiduciaries are required to implement appropriate technical and organizational measures to ensure the effective implementation of the law. Considering the requirement for cross-compliance with digital laws from sector-specific regulators and multiple stakeholders involved in enabling digital transactions, the implementation of the compliances under this law will require significant technological and operational realignment and preparedness on part of the industry players. The EU’s GDPR provided for 24 months for preparedness and compliance and while Singapore’s PDPA act provided for 18 months. Indian industry will need an implementation window of at least 18 to 24 months to be prepared for compliance.

Parity

Finally, the non-digitized personal data is excluded from the ambit of the Act. Such complete exclusion is not advisable, as data, when collected offline using forms or printouts, should be handled with same obligations by data fiduciaries as online data. If the intention is to provide exemption to startups or MSMEs, then the same could be achieved under the section of DPDP providing for specific exceptions to entities requiring such simplification. It is critical that non-digitized data also be brought under the aegis of this law so that there is level playing field between digital and physical players and the non-digital players and consumers get maximum protection and accountability from online and offline data fiduciaries.

Summary: India's Digital Privacy Act represents a pivotal moment in the nation's commitment to securing the privacy and data rights of its citizens. The provisions of the DPDP act create an enhanced atmosphere of trust and security for more complex digital transactions and has the potential to scale up the scope of digitally processed financial transactions. While challenges in implementation may arise, the Act's enactment underscores India's dedication to navigating the complexities of the digital age and is a significant stride towards a more secure and privacy-aware digital future.

A version of this article had appeared in Financial Express (India) on October 8, 2023.