Mr Na. Vijayashankar, Data Governance and Data Protection Consultant & Chairman, FDPPI presented an overview of the DPDB Act 2023 and led the discussion with:
Dr Anirban, Senior Manager Data Compliance – India & AMEA, BT India, Kolkata.
Dr Avinash Dhadhich, Dean, Manipal Law School, Bangalore
Ms Savitha Kesav Jagadeesan, Senior Partner, Kochhar & Co.
Mr Rohan K George, Partner, Samvad Partners
Mr Mahesh Balakrishnan, Associate Director – Security Governance & Compliance, Uniphore
Mr Na. Vijayashankar: On the 11th of August 2023, the Digital Personal Data Protection Act 2023 was passed in India. We have been waiting for this development for many years and we are very happy it has happened, because India needed a law of this nature. The deficiencies of the Act can always be improved. My first question to the panel is: What is the applicability of this Act? Why is it called Digital Personal Data Protection Act?
Mr Rohan K George: All the previous iterations of data protection bills and legislations did not make a distinction between digital data and non-digital data and also did not distinguish between automated processing and non-automated processing of data. However, this Act very clearly limits its applicability to data which is automated. In India, we are moving deeper and deeper into a pure digital governance system and so much of India’s record keeping and documentation is in non-digital form. There are many organizations which still prefer to keep paper registers. Now we have two standards for the protection of data and, more importantly for the protection of individual privacy in situations where the data is digitized and where the data is non-digitized. It also raises a concern for me, because it disincentivises digitization, as people know that as long as they are outside the digitization parameters, they are effectively outside of the applicability of the Act itself.
Mr Na. Vijayashankar: How does this Act address the concerns expressed by the Puttaswamy judgment?
Mr Na. Vijayashankar: We call it as digital because it is applicable to data collected in digital form in India and data which is collected in physical form, but digitized by entering it into the computer. These are the two things which have been covered here. This Act is trying to focus on information privacy and somehow the government has felt that non-information privacy is not a serious concern for the community and that the existing laws will take care of it. We call it personal data. How do we see its applicability to whatever is not personal?
Dr Avinash: It depends on the interpretation of how we define data and the personal dimension of data. We need to understand the objective of this law. Data is useless just like raw oil. It has to be refined, converted into a particular product and that the final product has some commercial value. We have to see this from two dimensions—one from the customer’s or the principal’s point of view and the other from the company’s point of view. For me as an individual, everything is personal, but for a company, everything is not personal. There’s a lot of information which is available in public domain. So, it depends on the interpretation.
Mr Na. Vijayashankar: When we say person, many people are confused as to who this person is. Is the protection limited only to the individuals?
Mr Mahesh Balakrishnan: We talk about all the other clauses in terms of personal definition. But if you look up the definition within that Act, it brings about the juristic aspects of that person. We must know where we get the data from. Are we using it for the defined purposes or complimentary purposes?
Mr Na. Vijayashankar: I see person in two different dimensions—a person whose privacy has to be protected by protecting or managing his personal data. The other is an organization which collects the personal data, which is also a subject of this Act. If the organization fails in its obligation, it can be levied fine to the tune of even 250 or 500 crores. In the business, there are proprietary concerns and partnership firms and we have transactional data between a company and an individual which is a mix of personal and business data. As a data manager, which are the data I can say as personal data and which are not personal data?
Dr Anirban: Indian companies are in a hurry to understand and implement this Act, but what is really important is to understand my data source, from an organizational standpoint, not individual. The second one is to define the type of data, and the third, what I am doing with the data. Am I giving it to a third party or am I processing it? Every organisation must perform the data mapping exercise.
Mr Rohan K George: The Act creates two kinds of actors—one is the person who’s doing the processing of data, which can include all kinds of persons including individuals and then it creates a category of personal data, which is data about an individual. When a person is identifiable by data, you can very easily establish a direct correlation; but when a person is identifiable in relation to data, that creates a very interesting situation where you have certain data points, which need not necessarily directly allow identification of a person, but—when combined with others—will have the effect of being able to identify that person within a certain range. This is a bigger definition of personal data than in previous iterations of the Act. But, at least, it allows us to understand that personal data does not have to only mean name, address, email ID and the like, but can include much more sophisticated data.
Mr Na. Vijayashankar: The DPDP Act defines the role of a person who decides about the purpose and means of processing data as a data fiduciary. It also makes a reference to a significant data fiduciary. Section 43A of ITA2000 spoke of sensitive personal information. Organisations which process a large quantity of sensitive personal information are always considered a high-risk business. Can you tell us how this Act identifies a significant data fiduciary?
Ms Savitha Kesav Jagadeesan: One of the most prominent criteria is what kind of data is being collected. Then comes the volume and sensitivity: what rights are affected and the territoriality of that data. Anybody using a data processor or a processing agent will fall under a data fiduciary. In fact, anybody using a significant amount of data, which affects the territoriality or the sovereignty of a populace, will become a significant data fiduciary.
Mr Na. Vijayashankar: What are additional obligations of a significant data fiduciary?
Dr Anirban: Three extra obligations. One, you need to appoint a Data Protection Officer or DPO, who will be based in India and his or her contact details will be published in the website of the organization. The second, the organization needs to implement the infrastructure to do Data Privacy Impact Assessment (DPIA) for any change within the organization in regards to processing or collecting personal data, along with any new project or technology that has been built, which will be using or processing personal data. The third one is to appoint an independent auditor to get an audit of all the processing activities or all the compliance against the DPDP Act 2023. The frequency of the audit will be announced in due course by the central government.
Mr Na. Vijayashankar: Who is a consent manager? What kind of data fiduciary is he?
Mr Rohan K George: One of the key obligations of a data fiduciary is to inform the data principal of the right to appoint a consent manager, who can be a layer between the data fiduciary and the data principal.
Mr Mahesh Balakrishnan: When there are third party consent managers, they become significant data fiduciaries. Who is going to manage that?
Dr Avinash: It’s not a very new concept. We are already doing it in the financial sector. But there are a few questions which need to be asked now, like: How many players would be allowed by the government? What would be their market power in this situation? We are going to deal with billions of requests by different people and organizations. So, we need to see the power of the consent manager. The entire objective of this data privacy law is to protect the privacy of the people or give some sense of privacy. When we appoint consent managers in big organisations, what would be their responsibility? Definitely, it will be cleared by subsequent notifications and circulars. But I think their responsibility will be very important. We should not forget that the government will also be a significant data fiduciary under this Act. What happens when there is a conflict of interest between the consent manager and the significant data fiduciary, is a question that comes to my mind.
Mr Na. Vijayashankar: What I see in the Act is that the consent manager will be a special kind of data fiduciary. He will be registered and there will be a set of guidelines that will exclusively define his roles and responsibilities. He will represent the data principal, not the data fiduciary, which means that he will be acting as a trustee. The consent manager which we are presently aware of, in the financial sector is a technology platform. It is working more like an intermediary. The data comes from one end and it goes to the other end. This intermediary or the consent manager doesn’t have access to the data of a person, whereas what this Act envisages is that the consent manager in a big organization may have visibility of the data but he’s expected to protect it by his own methods. The consent manager also needs to take the responsibility for managing visible personal data.
Dr Anirban: What would be the economics of the consent manager?
Mr Na. Vijayashankar: If I am going to use a bank’s safe deposit locker, I pay money to deposit my things. Similarly, if the data principals think that they need to protect their data and when they themselves cannot do it and want somebody to assist them, they can have a data consent manager. How much he will collect from the data principal is a thought worth pondering. A revenue model has to be devised by the consent manager. If I have to do KYC, I have to spend 200 or 250 rupees. The consent manager can have KYC done for a million sets and then tell these companies that each time they don’t have to take money like Cibil does.
Mr Mahesh Balakrishnan: If I’m a data fiduciary, can I go ahead and build a platform to manage the consent of all our data principals? How independent can a data fiduciary be, if they can go ahead and build a platform?
Ms Savitha Kesav Jagadeesan: Building a platform is perfectly fine so long as it fulfils the requirements that have to be provided, which is the notice and what requires to be given in the notice. The consent manager is essentially an additional aspect that has been provided to make it easier for the data principal to provide the consent.
Mr Na. Vijayashankar: There are 44 sections in the Act and they need to be clearly understood. There are complexities and if we are not able to understand this, penalties are there which may extend from 50 crores to 250 crores for different categories, like not reporting the data breach or not having adequate safeguards, not having organizational policies and things like that. If I don’t know that I am a significant data fiduciary and, therefore, I don’t appoint a DPO, my classification error will lead me to not having a DPO and therefore, I am liable for the penalty.
The Act says that it is applicable to digital personal data processed in India. The digital personal data processed in India need not necessarily be of only Indian citizens, it can be of somebody else also. If data is processed outside India, but it is related to some business services to Indian people, that is also covered. But if there is an Indian company which is doing some processing outside India and if that data is not of Indian people, it is not covered under this Act. In that aspect, it is substantially different from GDPR.
Mr Rohan K George: The exemption given for processing of data of non-residents, pursuant to a contract outside India, doesn’t exempt the entity from the entirety of the Act. It exempts them from the obligations, but it does mention that they are still required to generally comply with the Act and it requires them to maintain reasonable security standards and practices. It exempts them from cross-border processing and it exempts them from the data principal. Thus, it is a limited exemption.
Mr Na. Vijayashankar: Yes. Section 17 is not an absolute exemption. Our law focuses on consent being absolutely essential, based on a notice that can be served in 22 languages. The collection of data has to be purpose oriented and unlike GDPR, it doesn’t list out five or six elements. It is all implied in the purpose. If a purpose is over, you’re not supposed to retain that data. The data retention minimization is ingrained in the purpose itself. Data minimization is also part of the purpose. You’re collecting it for a purpose and therefore, the purpose has to justify what you collect.
There are certain legitimate users. There is a section on legitimate use where consent may not be required. Earlier, we used to have something called deemed consent. Now, they call that as legitimate consent. From compliance point of view, an organization must first think, “Am I exempted? If not exempted, am I coming under legitimate use that will minimize my compliance requirements?”
I have always been advocating for compliance by design. I think this Act has taken that suggestion of mine.
Ms Savitha Kesav Jagadeesan: The illustration that they have provided is that of a pharmacy. When you enter the pharmacy, you provide all your personal data and acknowledge the receipt of payment for the purchase. Then that data is processed by the pharmacy and held on. Once you’ve gone to the pharmacy, given the data and finished your transaction, there ends the pharmacy’s use.
Mr Mahesh Balakrishnan: Whose legitimate interest are we talking—the data giver or the data receiver? Unless there is a complementary purpose, we are not supposed to go ahead and use that same data for a different purpose. The question is, are we stopping it? The other thing is, when you talk about personal data, we go ahead and anonymize the data. Once we anonymize it, it becomes a non-personal data. What do we do with that? Contractual compliance talks about receiving the data, storing, processing it and destroying it and giving it back to the organization in a structured or unstructured format.
Mr Na. Vijayashankar: What are the duties of the data principal?
Mr Rohan K George: We were advising an Indian company with GDPR compliance. A new category of litigators has risen in the EU, which is the data troll. What that means is that there are people who go out and hunt down flaws in data, compliance, data privacy and so on. The duties listed are mostly straightforward and some bother me. You don’t want a person who has genuine grievances having his class listed under ‘frivolous.’
Mr Na. Vijayashankar: Let us not think that DPDP will be anti-people.
Dr Anirban: It is culturally very well-defined. We know the challenges we might get from a data principal. The data fiduciaries or the organization need some sort of safeguards. This aspect is taken care of in the Act.
Ms Savitha Kesav Jagadeesan: One of the duties that a data principal must keep in mind is never to give false information.
Dr Avinash: I agree with Savita because when we try to develop a data privacy culture and at the same time, we are imposed 10,000 rupees fine if the board finds that your complaint is not genuine, are we not trying to create terror in the minds of the people that if I go against a big company, I may also be prosecuted?
Mr Na. Vijayashankar: That is for the government and DPDP to ensure that it will not happen.
You talked about legitimate use. Organizations undergo change. Today you’re in banking; tomorrow you may be in a pharmacy. Under the financial services, there are many services. If I say legitimate use today is selling a credit card, tomorrow it can be insurance. So, what happens to the data after the transaction, when the relationship has not stopped and it continues?
Mr Mahesh Balakrishnan: You collect the data for one purpose. If you want to go ahead and process the data across your services or your products, then you must provide notification to the data principal. When you seek data, you must clearly define the purpose.
Ms Savitha Kesav Jagadeesan: You can retain the data so long as there’s no withdrawal of consent. When you hold that data, see to it that manipulation of data is not done. The idea is that withdrawal of consent can take place anytime.
In what ways does the Data Protection Act promote accountability and encourage organizations to implement robust data protection measures?
Mr Na. Vijayashankar: The Act says that the company should have organizational and technical measures to be compliant with every provision of this law—Section 1 to 44. Otherwise, the deterrence is in the form of penalty. There is no criminality though. If a breach or a lack of competency to be compliant comes to the knowledge of Data Protection Board, they can impose a penalty. If and when a data breach happens and the DPB questions you, then you should be able to prove that you are in compliance.
When the data has been provided for different purposes, on whom will the responsibility be fixed if a data breach happens?
Mr Na. Vijayashankar: Every data fiduciary is responsible for the data which he/she has collected. If the data has gone to multiple areas, you have to look at the source of data breach and wherever it has breached, that data fiduciary will be responsible.
What measures does the Data Protection Act put in place to ensure sensitive data is adequately protected?
Mr Rohan K George: At present, the Act does not directly address a blanket protection for sensitive personal data. In my opinion, that’s a concern. I’m sure it will be addressed by subsequent regulations. But it addresses two aspects—the first one is children’s data, which is a certain subcategory of sensitive personal data. Here, it calls for verifiable consent of the guardian of a disabled person or a minor. The other aspect it touches is the significant data fiduciaries, which we discussed. The Act does not override the existing regulations, which have been put in place by various financial regulatory bodies, such as the RBI, the SEBI and like, to protect individual financial data.
If we have a fraud control unit in an organization for employment purpose, will it fall under the exemption for consent?
Mr Na. Vijayashankar: The idea of the fraud control unit does not come under the employment purpose, because it will come under a standard operating process (SOP). The exception that has been provided for employment use is with regard to processing your data. There is exemption available for the information security for the interest of the organization, including IPR and trade secrets. There is no protection as far as the employees are concerned as the organization can do surveillance and background verification. In financial service, if there is a default of a loan, after the default has happened, then whatever data that is collected and processed can again be outside the restrictions. To that extent, the interest of companies has been taken into account.
Is the current Act applicable to the NRIs, or only to the citizens of India, irrespective of where the data is processed?
If any foreigners’ data is being processed in India, that doesn’t fall under this Act. But if the data is processed abroad, even if it is an NRI or citizen’s data, and it is to be used in India for a particular purpose, then it falls under the Act.
While taking consent, should we mention the retention periods?
Mr Na. Vijayashankar: Just link it to the purpose and that will automatically take care of the retention period. If the consent is a recurring consent, it may go for a longer time. If it is for a single purpose, it will end there. For instance, for KYC you want to have a video. That is only for the time till you complete the onboarding. Afterwards, retention should not be there.
How do you encourage the organizations to take swift and responsible actions?
What role does transparency play in the data protection? How will it empower individuals to have more control over their personal data?
Dr Anirban: For any business or organization, it is really important that they are honest and open with their customers, or in this case with the data principal. The data fiduciary must stick to the legitimate interest while processing the data. If there is a change in the purpose or means of processing, the relevant user consent is required and that’s where the transparency comes in.
In what ways will this Act address the challenges posed by the emerging technologies like AI, Biometrics and IoT?
Mr Mahesh Balakrishnan: The source of the data is important. If I get an answer to where my data source comes from, the next aspect is, once they process that data, what happens to the personal as well as non-personal data? I can question my team on my source of data and how they build the algorithms and the models and how effectively my privacy and security are taken care of.
Mr Rohan K George: Every organization must definitely discover their data sources and do an extensive gap analysis to identify where the organization is and where they need to be.
With the rise of global data flows, how is the DPDP Act aligned with the international data protection standards and regulations like GDPR?Mr Na. Vijayashankar: GDPR is a different law applicable to the EU data. DPDP Act is a different law applicable to the Indian data. The two are different and will stand on their own. We have to develop our own standards for being in compliance with this and that is what FDPPI is doing with the personal data protection compliance standard of India.