The DPDP Act: Risks, Challenges and Implications for Business

India’s landmark Digital Personal Data Protection (DPDP) Act is a big step towards establishing a culture of data privacy. Sixteen months after the law was notified, the Ministry of Electronics and Information Technology released draft rules under the Act, offering clarity on its implementation, including the formation of the Data Protection Board (DPB) to handle breaches and impose defined penalties. With a tangible timeline for implementation of the Act in place, the contours of the final regime under the DPDP becoming clearer and the strong penalties for non-compliance enshrined in the DPDP, it is the need of the hour for Indian businesses to understand the key tenets of the act and prepare to adhere to them. At recent India CEO Forum sessions in Delhi and Pune, Arun Prabhu, Partner and Head - Technology & Telecommunications at Cyril Amarchand Mangaldas, shed light on the changes that will flow from the DPDP and what corporates must do to prepare for it.

Digital Personal Data Protection Act 2023

The DPDP Act represents a significant shift in India's data protection landscape, aiming to provide comprehensive protection for all digital personal data. It grants individuals and organisations greater control over how their data is collected, stored, processed, transferred, disclosed and used. The Act, which has been notified for information, will be implemented in phases, with the draft rules now providing clarity on key issues. At the heart of the new law is the understanding that, whenever data processing is undertaken, it must be done either on the basis of consent or on the basis of one of the other permitted uses.  Enacted to provide a comprehensive legal framework for data protection, the DPDP draws inspiration from global regulations like the European Union's General Data Protection Regulation (GDPR), but tailors its provisions to India's unique needs.  Despite existing regulations and a privacy culture in place, the EU’s rollout of the GDPR was still subject to implementational challenges. The DPDP is much shorter in comparison and can best be describes as a brief, flat regime with a lot of room for interpretation.

Working Definitions

• The Data Principal is the individual to whom the personal data relates. In the case of a child, it includes the legal guardian of said child.

• Their personal data is classified as any data about the data principal who is identifiable by or in relation to said data.

• Data Fiduciary refers to any person who alone or in conjunction with other persons determines the purpose and means of processing personal data.

• Significant Data Fiduciaries (SDFs) are parties that process large volumes of sensitive data and therefore face additional compliance burdens.

• Public interest includes the sovereignty and integrity of India, national security, friendly relations with other States, maintenance of public order, preventing incitement to commit offenses related to public interest, and preventing dissemination of false statements.

• Automated is understood as any digital process capable of operating automatically in response to instructions given or otherwise for the purposes of processing data

Applicability

The DPDP empowers data principals with rights that limit how their personal data can be used by data fiduciaries with limited exemptions. The act applies to:

• Processing of digital personal data

• Processing of digital personal data within India

• Processing of digital personal data outside India if it is related to profiling or offering goods/services to data principals within India (Key Risk: It will apply to offshore processing of India data (client or employee).)

It does not apply to:

• Non-automated processing

• Offline personal data

• Personal data in records over 100 years old

• Personal data processed by an individual for personal or domestic purposes.

• Data that is made, or caused to be made, publicly available by the data principal or any other person who is under an obligation under any law to make data public.

• Public Profiles, Websites, Defaulter Data, Offer documents

Consent and Notice

Consent is the primary basis for processing and must be a freely given, specific, informed, unambiguous and affirmative action against a clear notice. The notice must be presented independently of other information and be linked to the Data Fiduciary’s app or website:

• It should be written in plain language and accessible in English or one of the 22 Indic languages.

• It should include an itemised list of the personal data collected, the specific purposes of processing and contact details for the data protection officer.

• Consent must be auditable and the burden of proof is on Data Fiduciary.

• Verifiable parental consent is mandatory for processing children's data.

Risks:

• Consent can also expire or be revoked like in the case of former employees or customers.

• If notices are not robust, consent may be invalid, and this may only become evident post breach.

• Businesses often fail to maintain old consent records for auditing purposes.

• The burden of compliance is on data fiduciaries to implement age verification mechanisms to establish whether a data principal is a child

Legitimate Uses

Legitimate use of personal data under the DPDP Act encompasses various scenarios, including when data is voluntarily provided for a specific purpose, and where the linkage between submission and purpose is clear and unequivocal. It mandates that organisations can only use such data for the intended purpose and nothing else. Additionally, personal data can be used for performing legal functions, providing services or issuing certificates in compliance with government standards, either with prior consent or as mandated by law. Further, data may be used to comply with judicial orders or for emergency situations such as medical treatment or disaster assistance. Finally, data can be processed for employment-related purposes, safeguarding employers from loss or liability, including the protection of trade secrets and IP or providing benefits to employees.

Key Provisions

• Scope Expansion: Unlike the narrow protection under the Information Technology Act, the DPDP Act extends protection to all digital personal data, without a specific definition of sensitive information. This broadens the scope of protected data significantly.

• Data Subject Rights: The Act introduces clearly defined rights for data subjects, including access, correction, erasure and withdrawal of consent. Enforcement of these rights will be overseen by a dedicated DPB, ensuring effective implementation.

• Adjudication Mechanisms: A now-defunct mechanism for data protection adjudication is replaced by a dedicated DPB with a time-bound mandate. Additionally, there are provisions for appeal to the Telecom Disputes Settlement and Appellate Tribunal (TDSAT), ensuring a streamlined process for resolving disputes.

• Breach Notification: While breaches were previously reported only to CERT-In, the DPDP Act mandates notification to both the DPB and affected users. This ensures transparency and accountability.

• Reasonable Security Standards: Unlike the previous reliance on ISO 27001 compliance, the DPDP Act does not provide a bright-line test for security standards. Instead, it requires entities to implement reasonable security measures, with the determination of reasonableness made after a breach occurs.

• Penalties: The Act introduces significantly higher penalties, with fines reaching up to Rs 250 crores for non-compliance. Additionally, there is a residual penalty of Rs 50 crores for offenses not specifically addressed in the law, creating a regime with substantial deterrents.

Exemptions

The Central Government can, upon notification, exempt from certain provision of the Act, processing of personal data in cases where: 

• Any instrumentality of the State requires the data in public interest (as defined, except dissemination of false information).

• It is necessary for research, archiving or statistical purposes wherein it needs to be processed in accordance with standards specified by the Data Protection Board and cannot be used to take decisions specific for the data principal.

Storage limitation obligations of the DPDP do not apply to data processing by the State or its instrumentalities. Furthermore, several provisions of DPDP will not apply (unless related to security standards) to processing of personal data if:  

• It is necessary for the enforcement of legal rights or claims

• It is necessary for the performance of any judicial or quasi-judicial function

• It is in the interest of prevention, detection, investigation or prosecution of any offence or contravention of laws

• It involves personal data of data principals not within the territory of India (such as for the outsourcing of data processing to India)

• It is necessary for a scheme of compromise, arrangement or reconstruction approved by a court or tribunal

• It is for the purpose of ascertaining the financial information and assets and liabilities of any person who has defaulted in payment due on loan from a financial institution, in accordance with any law 

Action Items for Compliance

Systems and processes

• Enabling Data Principal Rights Enterprise Wide:

  1. Identify and document all held data, its usage and sharing practices. Risks include unstructured data and disjointed databases.

  2. Implement processes for data correction, erasure and time-bound grievance redressal. Offline data poses a key risk.

  3. Ensure mandatory breach notifications reach all data principals, considering challenges in contacting legacy users.

• Establishing Reasonable Security Safeguards to prevent personal data breaches. Note the absence of a bright-line test; ISO standards may not be sufficient.

• Implementing Technical and Organisational Measures to enhance data protection, aligning with legal requirements.

• Entering into Contracts with Processors or Fiduciaries that adhere to obligations and provide indemnity.

Reporting breaches

• Each affected Data Principal must be informed with details on the nature, extent, timing and location of the breach; its consequences; the safety and mitigation measures taken; and contact information for any queries.

• The timeline for doing this are not specified, though the legislation states that it must be done ‘without delay’.

• Details on nature, extent, timing, location and impact of breach must be intimated to the Data Protection Board without delay.

• More detailed and updated analysis can be sent within 72 hours (or longer as allowed by the DPB in response to written request).

• This will need to be completed in addition to existing CERT-In and sector-specific reporting obligations. 

Considerations for New Operations

Audit and Certification: Ensure effective management of personal information by complying with data privacy assurance standards such as IS17428, ISO 27001, and EHR standards. Implement reasonable security standards and appropriate technical and organisational measures as per statutory requirements.

Obtain W&I/E&O insurance to mitigate risks associated with severe penalties under the Act, especially for systemically important financial institutions and large data processors. 

M&A Exceptions (only for Court Approved Schemes)

• Exemption for processing is necessary for court approved schemes of M&A.

• Exclusion of private arrangements.

• Will not include data sharing for diligence before the transaction approval, or broader sharing between the entities after the transaction.

Key Questions

• Is the target data resilient?

• Will the business be disrupted by the Act?

• Is there a history of breaches?

• How clear and broad are consents for Data?

• How robust are IT processes?

Data Flow Mapping as Part of Diligence:

• Data collection: Type of data collected and linkage with the purpose at granular level.

• Storage and processing in accordance with periods of obsolescence.

• Outflow of data to third parties only for the purposes related to the services offered.