35 ASIAN LEGAL BUSINESS – SEPTEMBER 2023 WWW.LEGALBUSINESSONLINE.COM DATA PROTECTION Moreover, Mendiratta notes that the onus of proving compliance under the law is now a positive obligation on the data fiduciary. While the SPDI Rules had consent requirements, the new act “says consent has to be free, specific, informed, unconditional, unambiguous, affirmative action. So it’s really on the data fiduciaries now to demonstrate how they have checked all these boxes.” On the other hand, the act also empowers data principals - people who share their personal data with fiduciaries - to control and verify how their data is used, stored, and transferred. “This requires a sophisticated user-facing consent process as well as internal systems and tools that are largely absent in the Indian market today and will come at a significant cost for the small and medium sized companies,” says Mathew Chacko, the head of Spice Route Legal’s TMT practice. Data fiduciaries must also ensure that data is only used for the purpose for which consent was given. This includes “where users may have denied the use of ad-tech tools to process their data for data analytics or targeted advertising,” Chacko says. Even data processors, while exempt from compliance requirements under the act, are not in the clear. “While data processors are exempt from the law, we expect data fiduciaries to subject them to similar obligations – so your classic processors (SaaS tools, outsourcing companies, etc.) should begin to explore compliance as well,” Chacko adds. DATA ARCHITECTURE While data architecture is to be drastically enhanced across the board, some companies may already be better placed to comply with the act than others. Multinational companies are better placed than local companies due to their exposure to more than 150 global privacy laws, while tech businesses are also better placed than others due to Google and Apple’s app store privacy requirements, Rastogi says. So how does a company go about building infrastructure to comply with the act when its provisions are notified? “Businesses need to have a 360-degree view over their data handling practices – know where the data is flowing in, how it is used, where it is stored, who it is shared with and when is it deleted,” Rastogi says. Once a company has gained visibility, it must take steps to identify gaps and implement measures to rectify those gaps, he adds. This is an elaborate exercise, explains Mendiratta: “Companies must firstly, list down the kind of data being collected and decide what is essential for their purpose. Secondly, companies must also very clearly define for themselves and for their end users the purpose of this data collection.” Companies also need to do a risk and cost-benefit analysis on whether they want to build internal capabilities to ensure compliance or outsource to third party consent managers, as often is the case in other jurisdictions, Mendiratta adds. Particular to India are also questions around the capability to obtain consent in regional and local languages. “There’s a huge volume of apps which penetrate local markets based on language because they are offered in multiple languages,” Mendiratta explains. While the law prescribes the requirement of informed and verifiable consent, it is unclear whether companies will be expected to build capabilities to obtain consent in local languages. Building critical data infrastructure will require companies to considering increasing investment in technology and manpower. Tech tools to automate data collections and storage, identify breaches, and to empower users to monitor the use of their data might significantly bring down costs in the long term. “Companies will also have to start exploring the option of in-house data privacy officers and privacy teams to implement and oversee compliance, which will require corporate data governance strategies, organisation rehauls, and significant training,” Chacko adds. START THE COMPLIANCE While the provisions of the act will come into force when notified by the Central Government, and some leeway period to allow organizations to fall in line is expected, experts believe companies must get serious about building compliance capabilities today. It is unclear how much time the government is going to grant companies to comply with a provision once notified, so to ensure no disruptions to data collection and business operations, it is essential companies start working towards compliance immediately, Mendiratta advises his clients. The burden may be higher in particular sectors as the act leaves space for sectoral regulator to impose higher obligations. Rastogi says its likely the finance sector may see higher obligations as the Reserve Bank of India is pro-active about regulating transactional and lending data, and entities including payment providers and digital lenders. Experts agree that finance and banking, social media, e-commerce, healthcare and ed-tech companies have the most to worry about, given their exposure to high quantities of sensitive data and strong regulatory oversight. There have also been talks of the government exempting start-ups from compliance with certain provisions, as there is a fear that the burden of compliance may take a toll on their ability to operate. But this could be a double-edge sword warns, Chacko. “Limited obligations will remove the barriers to entry and innovation that the law could create for smaller companies. However, this must be balanced against the potential misuse of data that a blanket exemption could permit,” he says. Moreover, data principals are growing more conscious of how their data is used. Mendiratta notes that companies that are exempt may lose business to competitors that are collecting and storing data in compliance with the act. “Users will perhaps hesitate to engage with organizations that are exempt. You’re enjoying an exemption, but there is a certain set of the population which will say, maybe I don’t want to give my data to you.”