Understanding Foreign Entities’ Obligations Under the Indian Digital Data Protection Act, 2023: A Comprehensive Guide
INTRODUCTION
The journey of India’s Data Protection framework started in the year 2017 after the Supreme Court of India declared the Right to Privacy as a fundamental right under Article 21 and Part III of the Constitution. The first draft bill was released in 2018; after stakeholders and public consultations the Digital Personal Data Protection Act, 2023 (hereinafter referred as ‘the Act’) was released. The aim of the new legislation is to ensure transparency, accountability, security and ethical use of personal data.
WHAT IS PERSONAL DATA?
Personal data simply means any information which can be used to identify a natural person either directly or indirectly. It includes details like Name, e-mail, contact number, address, social identification numbers like Adhaar, Pan details, Driving License etc.
WHO IS A DATA PRINCIPLE?
Any person who processes personal data on behalf of a Data Fiduciary is known as a Data Processor.
WHO IS A DATA FIDUCIARY?
The Act defines a Data Fiduciary as, organizations that decide the purpose and means to process personal data in order to provide services, fulfil contractual obligations and meet customer demands.
WHO IS A DATA PROCESSOR?
Any person who processes personal data on behalf of a Data Fiduciary is known as a Data Processor.
WHAT IS PROCESSING OF PERSONAL DATA?
Processing personal data is defined as, collection, recording, organization, structuring, storage, adaptation, retrieval, use, alignment or combination, indexing, sharing, disclosure by transmission, dissemination or otherwise making available, restriction, erasure or destruction.
WHEN DOES THE ACT APPLY?
The applicability of the act in the context of Data Fiduciaries operating outside India depends on the following factors:
- Processing of personal data is taking place outside the territory of India.
- Such processing is done in connection with offering of goods or services to Data Principals within the territory of India.
For example, if a company based in the Europe is offering any goods or services to its customers in India and, while providing the same, it processes their personal data, the company is obliged to follow the compliance requirements under the Act.
Once the applicability of the Act is established, a Data Fiduciary has to comply with the provisions of the DPDP Act in letter and spirit; the non-compliance would attract penalties, and it will severely impact the organization’s reputation.
Let us now discuss some of the important compliances for the Data Fiduciaries under the Act. The two grounds for processing personal data of data principle includes certain legitimate uses and Consent.
LEGITIMATE USES
Data Fiduciaries can process the personal data of the Data Principal under certain legitimate uses for which consent of the Data Principal is not required. These are as follows:
i) The Data Fiduciary may process the personal data of Data Principal for the specified purpose for which a voluntary acceptance is given by the Data Principal and not otherwise.
For example: X, an individual, makes a purchase at Y, a pharmacy. He voluntarily gives his personal data and requests Y to acknowledge the receipt for the purchase by sending a message to her mobile phone. Y may process the personal data of X only for the purpose of sending the receipt.
ii) The Data Fiduciary may also process the personal data for the State and any of its instrumentalities for the purpose of providing benefits, subsidy, certificate, license or permit to the Data Principal. Processing can be done for the state under any law or in the interest of Sovereignty and integrity of India; for complying with any judgement, decree or order passed by the competent court.
iii) When there is a medical emergency involving threat to life or health of the Data Principal or any other individual processing of personal data is allowed.
iv) When measures are taken to provide medical treatment or health services to individuals during an epidemic, outbreak of disease, or any other threat to public health, processing of personal data is allowed.
v) Lastly, for the purposes of employment which includes safeguarding the employer from loss or liability, like prevention of corporate espionage, maintenance of confidentiality of trade secrets, intellectual property, any service or benefit sought by the Data Principal who is an employee.
CONSENT
Obtaining consent of Data Principal is one of the lawful bases for processing personal data. Data Fiduciaries are required to obtain free, specific, unconditional, informed, and unambiguous consent from the Data Principal.
REQUIREMENT OF PRIVACY NOTICE
Prior to obtaining consent a privacy notice must be given to the Data Principal. The notice shall contain the following:
- Information regarding the personal data being collected.
- The specific purpose for processing of such data.
- The procedure for exercising the rights under the provisions of the act shall be outlined.
- The language of such notice shall be in English or any language specified in the Eighth Schedule of the Indian Constitution.
RIGHTS OF DATA PRINCIPAL
The Act bestows certain rights to Data Principals that can be exercised by submitting a request t to the Data Fiduciary in the manner displayed on the website or app of the Data Fiduciary. They have the right to access information about their personal data, right to correction and erasure of personal data, right of grievance redressal and right to nominate.
- Right to access of information includes the right to obtain a summary of personal data being processed and the processing activity carried out by the Data Fiduciary. Also, the information regarding the identity of Data Fiduciary and Data Processors with whom the personal data is shared.
- Right to correction and erasure of personal data includes the Data Fiduciary’s right to request for correcting inaccurate or misleading personal data, complete the incomplete data and update the personal data.
- Right of grievance redressal includes the Data Principal’s right to avail redressal from Data Fiduciary or Consent Manger regarding exercise of their right under the Act. Data Principals shall first exhaust the grievance redressal mechanism under the Act before approaching the Data Protection Board.
- Right to Nominate is available for the Data Principal where they can nominate other individual for the purpose of exercising the rights under the Act in the event of death or incapacity of the Data Principal.
DATA RETENTION
Data Fiduciaries shall not retain the personal data unless it is necessary for statutory compliance. They must erase any personal data upon the request of the Data Principal or the specified purpose is no longer required to be served.
DATA PROCESSING AGREEMENTS
The Data Fiduciaries may engage third parties to process personal data of Data Principal. These third parties are also referred to as Data Processors. A data processing agreement shall be finalized between the parties outlining the purpose of processing personal data. The organization must review the security measures of data processors in order to avoid incidents of data breach. The organization will be liable for any breach of personal data caused by any of the processors.
SECURITY SAFEGAURDS
The Data Fiduciaries are duty bound to implement robust security measures in order to safeguard the personal data of Data Principals. In case of a data breach, the appropriate risk mitigation measures will be adopted. Both, organizational as well as technical measures shall be implemented to prevent any security breach.
PROMPT INTIMATION OF DATA BREACH
In case of data breach, the Data Fiduciaries are obliged to intimate the Data Protection Board and the affected data principals in the prescribed manner as and when the Government release the rules.
SIGNIFICANT DATA FIDUCIARY
If your organization processes sensitive personal data, which may pose a higher risk to the rights of Data Principal and public at large, it may fall under the category of Significant Data Fiduciary. The scope of Sensitive Personal data has not been defined in the Act; it would be clarified once the rules get released. These Data Fiduciaries are subject to greater compliances like the appointment of Data Protection Officer and an independent auditor, conducting periodic Data Protection Impact Assessment and audits, respectively. Any other measures as may be further prescribed under the DPDP rules.
PERSONAL DATA OF CHILDREN
If Data Fiduciaries are processing data of minors or persons with disabilities, there is a requirement of verifiable consent of the parent or lawful guardian. Data Fiduciaries shall not process data relating to tracking, behavioral monitoring of children, targeted advertisement, or activity that is likely to cause detrimental effects on child’s well-being.
CROSS BORDER DATA TRANSFER
Under the Act, the government restricts the transfer of personal data to certain countries or territories. The Data Fiduciaries must ensure that the third parties with whom they share the personal data does not violate these restrictions. Also, certain data localization laws in India prescribes for greater restriction on transfer of personal data. For instance, RBI guidelines on Storage of Payment System Data and clarifications thereto require banks acting as payment system operators to store data pertaining to payment systems only in India.
CONCLUSION
The Government is soon going to release the Data Protection Rules for public consultations. The rules will give us more clarity with respect to several procedural compliance that is required under the Act. The Act would come into force on such date as may be notified by the Government of India in its official Gazette Notification. The categorization of Significant data fiduciary and restriction on cross border data transfer will have more clarity upon finalization of the rules. For the time being, the foreign entities shall pool their resources and slowly start their compliance journey for the Digital Personal Data Protection Act.
Written by: Shashank Mohan
Leave a Reply