The Digital Personal Data Protection Act, 2023 (DPDP Act) has introduced several novel obligations on data fiduciaries (DFs). When compared to the extant data protection regime, the proposed regime constitutes a tectonic shift. However, the DPDP Act does not provide for a clearly defined transition period within which industry has to comply with such obligations. Transition periods are essential to give regulated entities sufficient clarity and certainty to organise their operations. In this piece, we delve into the various obligations imposed on DFs under the DPDP Act and argue for a reasonable transition period for enforcement of the DPDP Act, to ensure that entities have sufficient time to prepare for compliance.
Obligations on DFs under the DPDP Act
Before we begin, it would be important to note that the DPDP Act defines a DF as any person who either alone, or in conjunction with other persons, determines the purpose and means of processing personal data. Further, a data processor has been defined to mean any person who processes personal data on behalf of a DF. Lastly, a data principal has been defined as the individual to whom the personal data relates. It may be noted that, while DFs have been given exemptions from obligations under certain circumstances as laid down in the DPDP Act, in this piece, we solely focus on understanding what such obligations may entail.
1. Adherence to grounds for processing of personal data (Section 4)
Section 4 states that a person can process the personal data of a data principal — firstly, only in accordance with DPDP Act and secondly, for a lawful purpose for which a data principal has given their consent or for certain legitimate uses (as detailed in Section 7 of the DPDP Act).
While international regimes such as the General Data Protection Regulation (GDPR) and the California Consumer Privacy Act, 2018 (CCPA) also give due emphasis to consent of the data principal, the consent standard under the DPDP Act is more stringent given its overall construct. However, while legitimate uses have been included in Section 7, it does not expressly state the legitimate interest grounds (as present in the GDPR) for businesses and commercial enterprises. This leaves legitimate business interests such as processing of personal data for marketing, security, etc. or any other ancillary interests of the business other than provision of goods or services to the data principal beyond the scope of “legitimate uses”.
2. Requirement to give notice (Section 5)
Section 5(1) states that a DF needs to provide data principals a notice for collecting personal data before or at the time of requesting consent. This notice should inform the data principal of, inter alia, the personal data sought and the purposes it may be used for. In addition, the data fiduciary should provide the data principal with an option to access such notice in English or any language specified in the Eighth Schedule to the Constitution of India (Constitution). Further, Section 5(2) states that for consent which was obtained even before the commencement of the DPDP Act, the DF is required to give a similar notice to the data principal as soon as “reasonably practicable”. However, it also states that the DF may continue to process the personal data until the data principal withdraws their consent.
In terms of the format of the notice, while the Digital Personal Data Protection Bill, 2022 stated that such notice can be in an electronic form, or a part of the same document through which personal data is collected, or in any other prescribed format the DPDP Act does not mention anything in this regard. Quite ambiguously, the DPDP Act in Section 5(1) merely mentions that the manner in which such notice may be given shall be prescribed. Given the necessity to provide notice for collecting new data, as well as for existing data, the format for a notice may prove to be a crucial compliance obligation.
3. Request for consent (Section 6)
Section 6(3), inter alia, states that every request for consent should be in a clear and plain language, with the DF required to provide the data principal with an option to access it in English or any other language as per Schedule 8 of the Constitution. Further, such a request should contain the contact details of a DF’s authorised personnel responsible for responding to any communication from the data principal for the purpose of exercise of the data principal’s rights.
It may be noted that similar provisions in relation to publication of user-facing policies on intermediary platforms in Schedule 8 languages was introduced as part of amendments to Rule 3(1)(b) of the Information Technology (Intermediary Guidelines and Digital Media Ethics Code) Rules, 2021 (IT Rules) in October 2022. This language requirement appears to be incorporated across new tech-related legislations. Further, it may also be noted that providing a data principal the option to access the request for consent in multiple languages may prove to be a nuanced compliance obligation for DFs across sectors.
4. Cease the processing of personal data upon withdrawal of consent [Section 6(6)]
Section 6(6) states that once a data principal withdraws consent, a DF (along with its data processors) must cease the processing of their personal data within reasonable time of the consent being withdrawn. However, such processing may continue without the data principal’s consent, if required or authorised under the DPDP Act or Rules made thereunder or other laws in force in India.
It may be noted that this is further explained with reference to an illustration, which inter alia, emphasises on ceasing to process e-mails of a user for sending telephone bills, once the user has opted to receive them via a mobile app. In addition, this also requires the DF to ensure that the data processor has stopped the processing of such data which may need to be accordingly reflected in contracts between DFs and data processors.
5. Compliance with the DPDP Act [Section 8(1)]
Section 8(1) states that a DF is responsible for complying with the DPDP Act and Rules thereunder in relation to any processing undertaken by it or on its behalf by a data processor. Further, the DF should ensure such compliance irrespective of any agreement to the contrary or a data principal’s failure of carrying out its duties under the DPDP Act.
It may be noted that Section 8(1) has been left out of the broad exemptions granted under Section 17 which lists exemptions for DFs in certain circumstances.
6. DF to engage data processor only under a valid contract [Section 8(2)]
Section 8(2) states that a DF in the course of offering of goods or services to data principals may involve a data processor to process personal data on its behalf only under a valid contract.
Given that the obligations of DFs are tied in with the processing activities taken on their behalf by data processors — a valid contract as required by this provision is mandatory to ensure that such obligations flow to the data processor as contractual requirements. However, the regulatory obligation remains with the DF.
7. Ensuring the quality of personal data processed by the DF [Section 8(3)]
Section 8(3) states that where personal data processed by a DF is likely to be used to make a decision that affects the data principal; or is disclosed to another DF, the completeness, accuracy, and consistency of the personal data should be ensured.
8. DF’s responsibility to ensure effective observance of the DPDP Act [Section 8(4)]
Section 8(4) states that a DF is required to implement “appropriate technical and organisational measures” to ensure “effective observance” of the DPDP Act and the Rules made thereunder.
9. DF’s responsibility in relation to personal data breaches [Sections 8(5) and (6)]
Section 8(5) states that a DF should protect personal data by taking reasonable security safeguards to prevent a personal data breach. Further, the ambit includes any processing of personal data undertaken on its behalf by a data processor. Further, Section 8(6) states that in the event of a personal data breach, the DF shall give the Data Protection Board of India (Board) and each affected data principal, intimation of such breach in such form and manner as may be prescribed.
The Minister of State for Ministry of Electronics and Information Technology (MeitY), in one of his recent interviews stated that breaches under the DPDP Act will “get accumulated”1 and would be taken up by the Board once it is constituted. However, further clarity may only be achieved once subordinate legislation is issued.
10. DF’s data retention practices [Section 8(7)]
Section 8(7) states that a DF is required to erase personal data of a data principal if, a data principal has withdrawn their consent; or as soon as it is reasonable to assume that the specified purpose is no longer being served; or whichever is earlier. Further, a DF should cause its data processor to erase any personal data that was made available by the DF for processing to such data processor.
It may be noted that the nexus between the obligation to erase data and the “serving” of the “specified purpose”, as noted above, for processing of data may make the description of such purpose by a DF crucial in terms of ensuring it covers all services provided. In addition, contractual agreements with data processors should also mirror such clauses which ensure timely erasure of personal data.
11. Addressing concerns/grievances of data principals [Sections 8(9), 8(10) and 13]
Section 8(9) states that a DF is required to publish, in the prescribed manner, the business contact information of an authorised personnel responsible for answering questions raised by a data principal about processing of their personal data. Further, Section 8(10) states that a DF is required to establish an “effective mechanism” to redress a data principal’s grievances. Separately, Section 13(2) states that a DF or consent manager should respond to grievances referred to by a data principal within the prescribed period and a data principal should exhaust this grievance redressal mechanism before approaching the Board.
While the DPDP Act has such grievance redressal obligations for DFs, it may be noted that Section 15, which lays down the duties of a data principal require data principals to ensure that they do not register a “false or frivolous” grievance or complaint with a DF or the Board.
12. Children’s personal data (Section 9)
The DPDP Act defines “child” as “an individual who has not completed the age of eighteen years or such lower age as the Central Government may notify.” A DF is required to obtain “verifiable parental consent”, (which includes the consent of a lawful guardian, where applicable) before processing any personal data of a child, in such a manner as may be prescribed. Further, a DF should not undertake any processing which is likely to cause harm to a child, which includes prohibition on tracking, monitoring, or directing targeted advertisements to children (tracking prohibitions). However, requirements related to verifiable parental consent and tracking prohibitions may not be applicable to certain classes of DFs or certain purposes, subject to certain conditions, as prescribed. Lastly, the Central Government has the power to notify the age above which a particular DF shall be exempted from the applicability of all or certain restrictions in respect of children’s personal data processing if it is satisfied that such DF has ensured it processes children’s personal data in a “verifiably safe” manner.
13. Obligations on significant DFs (Section 10)
Section 10 of the DPDP Act, any DF classified as a significant DF (SDF), will have additional obligations. Inter alia, these include appointment of a Data Protection Officer to represent the SDF under the DPDP Act, who shall be based in India, be responsible to the governing body of the SDF, and serve as a point of contact for grievance redressal under the DPDP Act. Further, an SDF is required to appoint a data auditor to evaluate their compliance with the DPDP Act. In addition, an SDF is required to undertake periodic data protection impact assessments and periodic audits, as may be prescribed. Lastly, a broader provision states that SDFs are required to undertake any other measures in relation to the purposes of the DPDP Act, as may be prescribed.
14. Obligations in relation to data principal’s rights (Sections 11-14)
DP’s right to access information about their personal data (Section 11): Section 11(1), inter alia, states that a data principal has the right to obtain information related to their personal data from a DF to whom they have previously given consent. Such a request may be made by the data principal in a manner as may be prescribed. In brief, the DF should provide the data principal with information, upon receiving a request. These are, first, a summary of personal data of such data principal along with the processing activities undertaken; second, identities of all other DFs/data processors with whom the personal data is shared, along with the description of the data so shared, and third, any other information in relation to the personal data of a data principal and its processing, as may be prescribed.
DP’s right to correction and erasure of personal data (Section 12): Section 12, inter alia, states that a data principal has the right to correction, completion, updating and erasure of the personal data for which they have consented to processing by a DF, as per any requirement or procedure under any law for the time being in force. In brief, a DF should undertake certain actions in relation to the data principal’s personal data upon receiving a request. These include, first, correcting data principal’s inaccurate or misleading personal data; second, completing a data principal’s incomplete personal data; and third, updating data principal’s personal data.
Section 12(3), inter alia, states that a DF should erase the data principal’s personal data unless retention is necessary for the specified purpose for which it was processed or for compliance with any law for the time being in force.
Obligations in relation to DP’s right to grievance redressal (Section 13): Section 13, inter alia, states that a DF should respond to a data principal’s grievance in relation to either any act or omission of the DF regarding performance of its obligations in relation to the data principal’s personal data, or exercise of data principal’s rights under the DPDP Act, within such time as may be prescribed for all DFs or a class of DF.
Obligations in relation to DP’s right to nominate (Section 14): Section 14, inter alia, states that a DF should ensure that the data principal can exercise their right to nominate any individual who shall exercise the data principal’s rights as per the DPDP Act, in the event of the data principal’s death or incapacity.
In terms of compliance timelines that may be introduced for such rights, the Minister of State for MeitY stated2 that DFs may be given adequate transition time for obligations where there is a “need for architecturally developing some capability and capacity”. However, further clarity is awaited.
15. Obligations in relation to cross-border data transfers (Section 16)
Section 16 states that the Central Government may, by notification, restrict the transfer of personal data by a DF for processing to any country or territory outside India. Nonetheless, a DF is required to ensure compliance with any law in force in India which provides for a higher degree of protection of or restriction on transfer of personal data outside India.
Case for an extended timeline
The practice of placing a “transition gap” of at least 24 months between the passage of a data protection law, and implementation of its provisions, is evident globally across the spectrum of developed and developing nations. While the European Union General Data Protection Regulation (EU GDPR) ensured a two-year transition gap, the California Privacy Rights Act in the US had a transition gap of nearly three years. Closer to home, Singapore has enforced amendments to the Personal Data Protection Act, 2012 in a staggered manner to ensure that industry was given adequate time for compliance. The staggered implementation approach has also been followed by Brazil, with provisions of the data protection law being implemented over a span of three years.
India, as a developing nation with an evolving data governance framework, should consider providing an extended timeline for transition under the DPDP Act. As per recent reports, industry stakeholders have sought an extended timeline of at least 24 months to address requirements such as upgrading technical architectures to operationalise the novel requirements for protecting children’s data, data principal’s rights, notice requirements, etc. A clearly defined timeline will aid business certainty in the tech sector, tech adjacent sectors, and boost the economy.
Such an extended timeline will not only ensure the effective implementation of the DPDP Act, but also enable regulated entities due time to comply with the law, irrespective of their current organisational capabilities. Furthermore, given that the DPDP Act currently houses broad principles rather than actionable measures on data protection covered entities may not fully understand the extent of changes to be undertaken. The contours of complying with the law will only emerge on the issuance of further subordinate legislation.
At a more fundamental level, allowing covered entities to have sufficient time to incorporate data protection norms in their respective organisational practices will help in translating such practices into their future endeavours. Notably, implementing new practices and policies and creating technological solutions in order to comply with the obligations under the DPDP Act will be a resource heavy and time intensive process given the volume of personal data processed by certain DFs. Lastly, an extended timeline will also give the Central Government sufficient time to formulate a nuanced governance framework under the principles of the DPDP Act. A well-structured governance mechanism would also ensure ease of doing business in India and propel foreign investments. A data protection regime enforced in haste may result in obfuscation of the requirements under the DPDP Act and could result in increased data privacy and cybersecurity threats for India.
Therefore, it becomes essential to ensure a smooth implementation of the DPDP Act by providing a “transition gap”. Additionally, the Government may create dedicated communication channels to clarify doubts on the DPDP Act’s implementation, collaborate to train and educate personnel, and help in technology upgradation. The Government may also consider issuing industry non-binding best practices to aid in understanding the DPDP Act’s technical and qualitative requirements while relying on industry practice to evolve organically. Given India’s larger aim3 of becoming a 1 trillion-dollar digital economy by 2026, having a viable data protection environment in place would prove critical in this endeavour.
†Research Fellow, Shardul Amarchand Mangaldas.
††Research Fellow, Shardul Amarchand Mangaldas.
The authors would like to thank Shahana Chatterji, Namrata Ramachandran and Malikah Mehra for their input.
2. Aarathi Ganesan, “Large, Mature Cos Don’t Need Much Time to Comply with Data Protection Law: 15 Talking Points from the DPDP Act Consultation” (medianama.com, 20-9-2023).