India recently passed a wide-ranging data protection law. Lawyers share what companies need to do to keep up.

India’s digital transformation has permeated to almost every aspect of personal life. From healthcare and employment to e-commerce and tourism, the country’s digital infrastructure connects more than 692 million internet users to domestic and international businesses, whose operations and services depend on the personal information they collect from their customers.

This quantum digital leap was so far largely unchecked, with little attention given to building personal data protection architecture in the country. In 2011, the Information Technology Rules, also known as SPDI Rules, did introduce concepts like consent, privacy policy and reasonable security practices into India’s digital framework. But without a robust enforcement mechanism and reporting requirements, the SPDI Rules did little to amend data collection and processing practices in the country.

The Digital Personal Data Protection Act, 2023, enacted in August is poised to change all that. The act introduces significant obligations on private businesses collecting data, called “data fiduciaries,” setting broad rules for data processing, use and retention. It pre-scribes specific regulations for consent, purpose limitation, data accountability, transparency and accuracy.

Udit Mendiratta, a partner in Argus Partners’ technology and data protection practice says the new act completely overhauls the previous SPDI regime. “The SPDI Rules were fairly basic. They had very basic compliance requirements - consent and reasonable security practices being in place. Those are not sufficient to meet the demands of today. This new act, while building on SPDI principles, overhauls the system and provides far more stringent, detailed and nuanced compliance requirements.”

In a significant shift in policy from previous drafts, the act widens the scope for cross-border data flow and makes relaxations in data localization requirements.

The act provides specific parental consent requirements for processing data of children, restricting data fiduciaries from tracking or behavioural monitoring, and targeted advertisements directed at children.

The act also establishes a Data Protection Board, which will serve as a complaint redressal mechanism for personal data providers, regulate compliance and prescribe penalties for breaches.

For non-compliance and data breaches, the act prescribes penalties of up to 2.5 billion rupees ($30 million).

MORE OBLIGATIONS

Experts agree that with the introduction of specific consent and notice requirements, regulations on data processing, reporting obligations and high penalties, companies will no longer be able to skirt personal data-protection obligations as was the case under the SPDI Rules. The act’s coverage is wider than under the previous regime, says Anirudh Rastogi, founder and managing partner of Bengaluru-based law firm Ikigai Law. “While the SPDI only governed a subset of personal data, the new act governs the entire set of digital personal data,” he notes. “Businesses have obligations to implement security measures, notify breaches, and delete data after processing.”

Moreover, Mendiratta notes that the onus of proving compliance under the law is now a positive obligation on the data fiduciary. While the SPDI Rules had consent requirements, the new act “says consent has to be free, specific, informed, unconditional, unambiguous, affirmative action. So it’s really on the data fiduciaries now to demonstrate how they have checked all these boxes.”

On the other hand, the act also empowers data principals - people who share their personal data with fiduciaries - to control and verify how their data is used, stored, and transferred. “This requires a sophisticated user-facing consent process as well as internal systems and tools that are largely absent in the Indian market today and will come at a significant cost for the small and medium-sized companies,” says Mathew Chacko, the head of Spice Route Legal’s TMT practice.

Data fiduciaries must also ensure that data is only used for the purpose for which consent was given. This includes “where users may have denied the use of ad-tech tools to process their data for data analytics or targeted advertising,” Chacko says.

Even data processors, while exempt from compliance requirements under the act, are not in the clear. “While data processors are exempt from the law, we expect data fiduciaries to subject them to similar obligations – so your classic processors (SaaS tools, outsourcing companies, etc.) should begin to explore compliance as well,” Chacko adds.

DATA ARCHITECTURE

While data architecture is to be drastically enhanced across the board, some companies may already be better placed to comply with the act than others. Multinational companies are better placed than local companies due to their exposure to more than 150 global privacy laws, while tech businesses are also better placed than others due to Google and Apple’s app store privacy requirements, Rastogi says.

So how does a company go about building infrastructure to comply with the act when its provisions are notified?

“Businesses need to have a 360-degree view over their data handling practices – know where the data is flowing in, how it is used, where it is stored, who it is shared with and when is it deleted,” Rastogi says. Once a company has gained visibility, it must take steps to identify gaps and implement measures to rectify those gaps, he adds. This is an elaborate exercise, explains Mendiratta: “Companies must firstly, list down the kind of data being collected and decide what is essential for their purpose. Secondly, companies must also very clearly define for themselves and for their end users the purpose of this data collection.” Companies also need to do a risk and cost-benefit analysis on whether they want to build internal capabilities to ensure compliance or outsource to third-party consent managers, as often is the case in other jurisdictions, Mendiratta adds.

Particular to India are also questions around the capability to obtain consent in regional and local languages. “There’s a huge volume of apps which penetrate local markets based on language because they are offered in multiple languages,” Mendiratta explains. While the law prescribes the requirement of informed and verifiable consent, it is unclear whether companies will be expected to build capabilities to obtain consent in local languages.

Building critical data infrastructure will require companies to considering increasing investment in technology and manpower. Tech tools to automate data collections and storage, identify breaches, and to empower users to monitor the use of their data might significantly bring down costs in the long term.

“Companies will also have to start exploring the option of in-house data privacy officers and privacy teams to implement and oversee compliance, which will require corporate data governance strategies, organisation rehauls, and significant training,” Chacko adds.

START THE COMPLIANCE

While the provisions of the act will come into force when notified by the Central Government, and some leeway period to allow organizations to fall in line is expected, experts believe companies must get serious about building compliance capabilities today.

It is unclear how much time the government is going to grant companies to comply with a provision once notified, so to ensure no disruptions to data collection and business operations, it is essential companies start working towards compliance immediately, Mendiratta advises his clients.

The burden may be higher in particular sectors as the act leaves space for sectoral regulator to impose higher obligations. Rastogi says its likely the finance sector may see higher obligations as the Reserve Bank of India is proactive about regulating transactional and lending data, and entities including payment providers and digital lenders.

Experts agree that finance and banking, social media, e-commerce, healthcare and ed-tech companies have the most to worry about, given their exposure to high quantities of sensitive data and strong regulatory oversight. There have also been talks of the government exempting start-ups from compliance with certain provisions, as there is a fear that the burden of compliance may take a toll on their ability to operate.

But this could be a double-edge sword warns, Chacko. “Limited obligations will remove the barriers to entry and innovation that the law could create for smaller companies. However, this must be balanced against the potential misuse of data that a blanket exemption could permit,” he says.

Moreover, data principals are growing more conscious of how their data is used. Mendiratta notes that companies that are exempt may lose business to competitors that are collecting and storing data in compliance with the act.

“Users will perhaps hesitate to engage with organizations that are exempt. You’re enjoying an exemption, but there is a certain set of the population which will say, maybe I don’t want to give my data to you.”