Data Protection- the regime in India (Part-II)

Continuing for the first blog post, we here continue on the second part on Digital Personal Data Protection Act, 2023 ("DPDPA") elucidating the salient features of DPDP Act. 

The Digital Personal Data Protection Act, 2023 ("DPDPA"), India's long-awaited general law protecting personal data, was finally passed on August 11, 2023[1]. After more than five years of discussion, the new law was passed, making it the first cross-sectoral law on personal data protection in India.

The DPDPA will be significant to many foreign businesses including EU SMEs that either operate in India or rely on Indian service providers/group service companies for their operations or are looking to enter Indian markets.

Salient Features of DPDPA

DPDPA allows for the processing of digital personal data in a way that safeguards people's rights to privacy protection and the need to process such data for legitimate purposes. The statute not only stipulates the obligations of persons, companies and government entities who process data, but also rights and duties of the person to whom the data relates.

The purpose of the DPDPA has been to induct a cogent data protection scheme by causing minimum disruption in the already data dependent society and to enhance the ease of living and ease of doing business by creating an innovation-oriented ecosystem.

DPDPA protects an individual’s right to access information about personal data processed. It also safeguards an individual’s right to correction and erasure of data.

DPDPA governs not only Indian citizens and companies that gather Indian citizen data, but also non-citizens residing in India. It also governs the processing of data which is collected in India in connection with any activity involving offering goods or services outside of India. DPDPA, for instance, would be applicable even if a provider, who is based outside of India, is offering digital goods or services to a French national living in India.

DPDPA permits the processing of personal data for any legitimate reason, which are specifically outlined in the statute. The party/entity handling such data may do so with the consent of the person in question or for "legitimate purposes"[2].

In case of violations, the DPDPA allows for harsher punishments and allows for imposition of hefty fines. Rather than serving as compensation, the fines are penal in nature.

The DPDPA also lays out provisions for electronically mediated alternative dispute resolutions which as per the contemplation of the statute would kick in in case of dipute or difference.

The DPDPA also empowers the government to restrict public access of repeat offenders to any information, including websites and applications, that which could be utilised by data fiduciaries to market goods and services.

DPDPA versus GDPR

While the GDPR is based on the EU Charter of Fundamental Rights and the previous Data Protection Directive, the DPDPA is a legislative expression of the fundamental right to privacy that was laid down by the Supreme Court Supreme Court in K.S. Puttuswamy v. Union of India[3].

The primary goal of DPDPA is to regulate “Data Fiduciaries[4]”, who are akin to “Data Controllers” under the GDPR. The data fiduciaries/data controllers are the entities that hold data on behalf of “Data Principals[5]”, who are akin to “Data Subjects” under the GDPR. Under both the laws, the data principals/data subjects are the ultimate owners of the personal data.

In contrast to the GDPR, which imposes legal obligations on both data controllers and processors, the DPDPA explicitly holds data fiduciaries accountable for the conduct of data processors they hire. The DPDPA differs from the GDPR in another important way since it does not make a distinction between sensitive and personal data. Instead, there is uniform regulation over all personally identifiable data. Furthermore, while publicly available data is still protected under the GDPR, all publicly available data—whether done so voluntarily or as required by applicable law is fully outside the purview of the DPDPA[6].

With respect to international transfer of data, while the GDPR mandates that international data transfers occur in accordance with additional safeguards, the DPDPA does not presently outline the additional precautions that must be taken for international data transfers. However, these precautions may be later specified in other regulations, and the Indian government may designate specific jurisdictions to which data cannot be transferred[7]. It must be borne in mind that DPDPA is nascent legislation and will see growth and reformation in the future.

Implication for EU SMEs

Under the DPDPA EU SMEs have to take consent from stakeholders before collecting their personal information. In order to safeguard interests and especially to avoid legal disputes or litigation, EU SMEs should execute data sharing agreements (DSAs). DSAs are enforceable agreements that regulate the sharing of data between two or more parties. A well-drafted DSA ensures trust with partners and customers, thereby reducing legal risks, and further ensuring that data is shared responsibly.

EU SMEs which are GDPR compliant, only have to take a little more caution to operate in India. While there are some concepts and principles of the DPDPA that are similar to those of the GDPR, EU SMEs experienced in complying with EU and UK laws, must appreciate certain significant differences as deliberated in the preceding section and should take proper legal advice in order to be DPDPA compliant.

Best Practices

EU SMEs should endeavor to protect sensitive data to avoid not only legal complications but to also maintain goodwill as well. Some of the best practices are enumerated herein below:

·Sort and identify sensitive data. As new data is created, modified, processed, or transmitted, the classification may be updated[8].

·A policy for data usage is imperative.

·Vigilance on private/sensitive data.

·Protect data physically. For instance, establishing a BIOS password will help protect data by preventing hackers from accessing operating systems.

·Documentation of cybersecurity guidelines aids in enforcing it. Reformative penalties should be put in place for action correction and habit creation.

·Use Antivirus software, Antispyware, Firewall, etc.

·Put into practice a risk-based security strategy. By using a risk-based approach, one can safeguard the company from potential breaches and leaks while also adhering to regulations.

·Educate and train staff.

Conclusion

Both individuals who entrust their personal information to organizations on a daily basis, and businesses navigating a complex regulatory landscape, must understand data privacy and its implications. There are numerous advantages to following data protection regulations. Good data protection is not only required by law, but it also makes financial sense because it can save money and time. Additionally, it demonstrates to consumers that an organisation values their privacy, which is beneficial to the brand and reputation.

The DPDPA, which represents the beginning of statutory personal data protection regulation and is of immense importance for EU SMEs. Although it is still debatable whether the new law would result in better privacy protection in any meaningful way, it can be certainly said that it is yet to mature and settle. So, EU SMEs will have to look out for the regulations brought by the government in the ensuing time and will also have to look out for the input of the judiciary.

The degree to which personal data privacy is protected and non-personal data is regulated will depend on the institutional arrangements and regulatory developments that occur over the course of the next few years and stakeholders will be in anticipation till then.

[1]THE DIGITAL PERSONAL DATA PROTECTION ACT, 2023 https://www.meity.gov.in/writereaddata/files/Digital%20Personal%20Data%20Protection%20Act%202023.pdf

[2] Refer Sections 7 and 17 of THE DIGITAL PERSONAL DATA PROTECTION ACT, 2023 https://www.meity.gov.in/writereaddata/files/Digital%20Personal%20Data%20Protection%20Act%202023.pdf

[3] AIR 2017 SC 4161

[4] Refer Section 2(i)- “Data Fiduciary” means any person who alone or in conjunction with other persons determines the purpose and means of processing of personal data.

[5] Refer Section 2(j)- “Data Principal” means the individual to whom the personal data relates.

[6]https://corporate.cyrilamarchandblogs.com/2023/10/indias-new-data-protection-law-how-does-it-differ-from-gdpr-and-what-does-that-mean-for-international-businesses/#:~:text=While%20GDPR%20requires%20international%20data,Indian%20government%20may%20also%20specify

[7] Ibid

[8]https://www.loginradius.com/blog/identity/data-security-best-practices/