34 ASIAN LEGAL BUSINESS – SEPTEMBER 2023 WWW.LEGALBUSINESSONLINE.COM DATA PROTECTION India’s digital transformation has permeated to almost every aspect of personal life. From healthcare and employment to e-commerce and tourism, the country’s digital infrastructure connects more than 692 million internet users to domestic and international businesses, whose operations and services depend on the personal information they collect from their customers. This quantum digital leap was so far largely unchecked, with little attention given to building personal data protection architecture in the country. In 2011, the Information Technology Rules, also known as SPDI Rules, did introduce concepts like consent, privacy policy and reasonable security practices into India’s digital framework. But without a robust enforcement mechanism and reporting requirements, the SPDI Rules did little to amend data collection and processing practices in the country. The Digital Personal Data Protection Act, 2023, enacted in August is poised to change all that. The act introduces significant obligations on private businesses collecting data, called “data fiduciaries,” setting broad rules for data processing, use and retention. It prescribes specific regulations for consent, purpose limitation, data accountability, transparency and accuracy. Udit Mendiratta, a partner in Argus Partners’ technology and data protection practice says the new act completely overhauls the previous SPDI regime. “The SPDI Rules were fairly basic. They had very basic compliance requirements - consent and reasonable security practices being in place. Those are not sufficient to meet the demands of today. This new act, while building on SPDI principles, overhauls the system and provides far more stringent, detailed and nuanced compliance requirements.” In a significant shift in policy from previous drafts, the act widens the scope for cross-border data flow and makes relaxations in data localization requirements. The act provides specific parental consent requirements for processing data of children, restricting data fiduciaries from tracking or behavioural monitoring, and targeted advertisements directed at children. The act also establishes a Data Protection Board, which will serve as a complaint redressal mechanism for personal data providers, regulate compliance and prescribe penalties for breaches. For non-compliance and data breaches, the act prescribes penalties of up to 2.5 billion rupees ($30 million). MORE OBLIGATIONS Experts agree that with the introduction of specific consent and notice requirements, regulations on data processing, reporting obligations and high penalties, companies will no longer be able to skirt personal data-protection obligations as was the case under the SPDI Rules. The act’s coverage is wider than under the previous regime, says Anirudh Rastogi, founder and managing partner of Bengaluru-based law firm Igikai Law. “While the SPDI only governed a subset of personal data, the new act governs the entire set of digital personal data,” he notes. “Businesses have obligations to implement security measures, notify breaches, and delete data after processing.” India recently passed a wide-ranging data protection law. Lawyers share what companies need to do to keep up. A NEW REGIME BY NIMITT DIXIT Image: U-STUDIOGRAPHY DD59/