Background of Data Protection Laws in India
In the early 2010s, India began addressing privacy and data security concerns by updating its laws. Initially, in 2000, the Information Technology Act laid the groundwork for electronic transactions but overlooked privacy issues.
However, in 2011, India took a significant step forward with the introduction of the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules 2011, also known as the “SPDI Rules”, which are part of the Information Technology Act, 2000. These rules aimed to regulate the handling of sensitive personal data and ensure proper security measures were in place.
These rules discuss using ‘reasonable data security practices’ to protect sensitive information. They also guide how companies handle our digital info – from collecting it to using it and keeping it secure. But until now, there hasn’t been a specific law just for data privacy. So, companies and the government had to come up with their own ways to keep our data safe.
Since 2021, India has experienced significant data breaches, particularly in sectors like finance, healthcare, e-commerce, and government services. This highlights the urgent need for strict data protection measures, especially for startups.
As India advances in the digital age, ensuring the security of personal data becomes crucial. The Digital Personal Data Protection Act, 2023 (DPDP Act) reflects this commitment, demonstrating India’s dedication to safeguarding individuals’ information in an increasingly connected world.
And now, with the DPDP Act, the government is getting serious about keeping people’s data safe. This new law will make sure startups and companies follow strict rules for handling our data. Startups and companies now need permission before using it, have clear rules about how long they keep it, and agree to keep it safe.
Overview of the DPDP Act, 2023
In August of 2023, the government of India notified the DPDP Act, 2023.
Compared to its 2019 iteration, the DPDP Act, 2023, adopts a more balanced approach, reducing obligations for businesses while bolstering protections for consumers. While the regulatory framework is simplified, certain provisions grant the central government discretionary powers.
Coverage of Non-Residents
The DPDP Act extends its jurisdiction to Indian residents and businesses handling Indian residents’ data. Notably, it also encompasses non-citizens residing in India whose data processing is linked to activities involving goods or services offered outside India. This inclusion has implications for scenarios such as a U.S citizen in India accessing digital services provided by a non-Indian entity.
Purposes of Data Collection and Processing
Under the 2023 Act, personal data can be processed for any lawful purpose, subject to obtaining explicit consent or for “legitimate uses” as defined by the law. Consent must be freely given, specific, informed, and unambiguous, accompanied by a clear affirmative action. Data collection must be limited to the stated purpose, with consumers provided clear notices outlining their rights and recourse mechanisms.
Rights of Data Users/Consumers
The DPDP Act establishes rights for individuals, including the right to access summaries of collected data and information on data sharing. Individuals can request data corrections, updates, or deletions and nominate recipients for their data. Grievances can be redressed through prescribed mechanisms.
Responsibilities of Data Fiduciaries
Entities including startups, handling digital personal data, termed data fiduciaries, bear defined obligations, including maintaining security measures, ensuring data accuracy, and reporting breaches to the Data Protection Board of India (DPBI). Additional measures include appointing data protection officers, establishing grievance redress mechanisms, and obtaining parental consent for data processing involving minors.
Changes from the 2019 Version
While the DPDP Act, 2023, largely retains broad obligations, it differs from the 2019 bill in several aspects. Notably, it reduces the regulatory scope of the Data Protection Authority (DPA) and introduces additional obligations for startups who significant data fiduciaries.
Moderation of Data Localization Requirements
Unlike the 2019 bill, the 2023 law does not impose stringent data localization requirements. It grants the government the authority to restrict data flows to specific countries through notification, primarily for national security purposes, while acknowledging sector-specific localization requirements for startups.
Exemptions and Regulatory Structure
The law provides exemptions from consent and notice requirements and certain obligations for specified purposes. It establishes the Data Protection Board (DPB) as the regulatory entity, tasked with overseeing data breach prevention and enforcement. Unlike the proposed DPA, the DPB has limited regulatory powers and operates within prescribed mandates.
Compliance and Penalties under Data Protection Laws for Startups
Let us start by understanding who must do to follow the rules of the Act and what businesses need to do to follow them.
Understanding Applicability and Obligations for Startups
The first crucial step in aligning with the DPDP Act, 2023, is to determine its applicability to your business. This Act covers entities involved in collecting, storing, using, or transferring digital personal data within India. It also applies to international entities processing data related to offering goods or services to individuals in India. However, certain exemptions exist, such as data processed for personal or domestic purposes, aggregated data for research, and publicly disclosed data.
Identifying Your Role: Data Fiduciary or Data Processor
Under the DPDP Act, it is essential to distinguish whether your entity acts as a Data Fiduciary or a Data Processor. Data Fiduciaries determine the purpose and means of data processing and bear primary responsibility for ensuring compliance. Data Processors handle data processing on behalf of Data Fiduciaries and must adhere to specific obligations to protect data integrity and confidentiality.
Obtaining Consent from Data Principals
Data Fiduciaries must obtain explicit and informed consent from Data Principals for processing their data. This involves providing detailed notices describing the data to be collected and its intended use. Data Principals have the right to withdraw consent at any time, ensuring transparency and respecting privacy rights.
Providing Notice to Data Principals
Data Fiduciaries must inform Data Principals about the data collected, its purpose, and their rights. Notices should be clear, concise, and easily accessible, emphasizing transparency and empowering individuals regarding their data.
Data Discovery and Classification
Businesses must maintain an inventory of personal data types and map their flow. Data discovery and classification involve identifying and categorizing personal data based on sensitivity and relevance, ensuring accuracy and compliance with data erasure requirements.
Deleting Personal Data Post Purpose Fulfilment
Businesses must delete personal data once its purpose is fulfilled or consent is withdrawn. Data lifecycle management policies should address different data types and retention periods to ensure data is not held indefinitely.
Responding to Data Principals’ Requests
Effective grievance redressal mechanisms, including appointing a Data Protection Officer (DPO), must be established. Data Principals have rights to access, correct, erase, and restrict data processing, with requests addressed promptly to avoid complaints to the Data Protection Board of India.
Understanding Additional Obligations and Penalties
Significant Data Fiduciaries have heightened responsibilities, including appointing a DPO and ensuring compliance with data transfer restrictions. Non-compliance can result in fines up to INR 250 crore, emphasizing diligent data protection practices.
Ensuring Adequate Security Measures
Data Fiduciaries must adopt robust security measures to prevent data breaches and promptly notify the DPB and affected individuals in case of breaches, highlighting the importance of data security.
Preparing for Compliance: Action Plan
Businesses should develop a phased action plan focusing on governance, technology, people, and processes to ensure compliance with the DPDP Act. This plan should address obligations related to notice, consent, data processing, and safeguard implementation to prevent penalties for non-compliance.
The DPDP Act introduces significant fines to dissuade violations of its regulations. While there have been few instances of penalties or compensations due to cyber breaches so far, the enforcement of the DPDP Act is expected to change this landscape. Therefore, it is essential to prepare adequately for compliance.
Penalties under the Act range from INR 10,000 to INR 200 crore, with a maximum cap of INR 250 crore. Notably, criminal sanctions, including imprisonment, have been eliminated from the Act’s provisions.
By emphasizing financial repercussions over criminal penalties, the legislation aims to promote responsible data management while safeguarding individuals’ privacy. These measures cultivate a sense of accountability and security in the digital era.
Misconducts Penalized under the Act
As outlined in the DPDP Act’s Schedule, various breaches incur different maximum penalties:
- Personal Data Breach: Up to INR 250 Crores
- Failure to Notify Data Breach: Up to INR 200 Crores
- Breach in Observance of Additional Obligations in Relation to Children: Up to INR 200 Crores
- Breach of Additional Obligations of Significant Data Fiduciary: Up to INR 150 Crores
- Breach of Duties under Section 15: Up to INR 10 thousand
- Breach of Voluntary Undertakings: Penalties corresponding to the relevant breach
- Other Breaches: Up to INR 50 Crores
Role of DPBI in Penalties
Chapter V of the DPDP Act establishes the DPBI, responsible for imposing penalties. The primary role of the DPBI is to ensure compliance with the Act and protect the rights of Data Principals. It addresses grievances and violations and has the authority to levy fines.
Upon receiving reports of breaches or non-compliance, the DPBI conducts evaluations to determine if an investigation is warranted. If deemed necessary, it initiates inquiries, summoning witnesses, scrutinizing data, and taking requisite measures.
In cases of significant breaches, the DPBI imposes fines, categorized based on the nature of the transgression and outlined in the Act’s Schedule.
Factors Affecting the Penalty for Startups
Before imposing penalties, the DPBI assesses the merits and conducts inquiries, adhering to natural justice principles. Under Section 33(2), factors influencing penalties include the nature and gravity of non-compliance, the type of data affected, repetitive nature, gains or losses, mitigation efforts, proportionality, and likely impact on the violator.
Sector-Specific Regulations
India has several sector-specific regulations for data protection. For instance, the (Insurance Regulatory and Development Authority) IRDAI Information and Cyber Security Guidelines of 2023 oversee data protection and transfer within the insurance sector, while the Health Data Management Policy of 2022 handles similar matters in healthcare. Furthermore, circulars issued by the Reserve Bank of India also regulate the storage and transfer of transaction data.
Implementing Data Protection Measures
The DPDP Act prioritizes individual privacy, mandating organizations to safeguard personal information in the digital era. Adhering to essential guidelines and best practices is crucial for effective compliance with this legislation.
To protect personal data from unauthorized access, organizations should implement robust data encryption measures. Regular data backups are also essential to prevent data loss or breaches.
Transparency is another fundamental principle, requiring organizations to inform individuals about the collection, storage, and use of their personal data. Adopting data minimization practices by gathering only necessary information helps reduce the risk of data breaches.
Organizations must prioritize user consent, offering individuals the option to control their data and withdraw consent if desired. By following these best practices and guidelines, organizations can ensure compliance with the DPDP Act and contribute to safeguarding individuals’ personal data.
Navigating International Data Transfers
Section 16(1) of the DPDP Act grants authority to the Central Government to designate countries where the transfer of personal data is prohibited. In order to avoid clashes with current legislation, Section 16(2) of the DPDP Act gives precedence to laws that have more rigorous data protection provisions when data is being transferred overseas. This means that if another law provides stronger protections, it takes precedence, ensuring a robust data security framework overall. As a result, sector-specific regulators such as the Reserve Bank of India (RBI) and the Securities and Exchange Board of India (SEBI) might implement data localization strategies for industry-specific data gathered by regulated bodies to adhere to regulations.
Unlike previous versions of the law, the DPDP Act does not distinguish between sensitive personal data or critical sensitive personal data. Instead, the Government decides on restrictions case by case. The scope of restrictions can cover a broader range of personal data. Some experts suggest that restrictions may involve imposing additional compliance measures (similar to GDPR adequacy tests) for transferring personal data to designated countries or limiting the transfer of certain data types.
In addition, the Act has an extraterritorial application and is applicable to persons outside the country. This means that foreign companies providing goods and services to individuals in India must adhere to the Act. Furthermore, if a nation is put on a blacklist through a Central Government announcement, the transfer of personal data to firms located in that country would be forbidden.
Section 17 of the Act details circumstances in which cross-border transfers, including those to specified countries or regions, are not limited. In order to avoid conflicts with current legislation, Section 16(2) of the DPDP Act gives priority to laws that have more stringent data protection regulations for international data transfers where the processing of personal data is required for law enforcement, crime deterrence, detection, inquiry, or prosecution, as well as carrying out judicial duties, meeting contractual commitments with overseas entities, corporate agreements, or performing financial evaluations for financial institutions.
Impact on Startups and Tech Companies
Compliance Challenges: Technology companies are facing significant challenges as they strive to align their data processing practices with the requirements of the DPDP Act. This involves a thorough revamp of existing processes to ensure compliance with the new regulations. One of the primary challenges is the need to upgrade technological safeguards to protect user data effectively. This upgrade comes with increased costs, as companies invest in creating accessible, transparent, and interoperable technology for managing user consent and data rights.
Additionally, training staff for data processing supervision and managing consent mechanisms adds another layer of expense. Additionally, startups must revamp their privacy policy and terms of use agreements showcased on their websites and apps. Ensuring compliance with the DPDP Act also means undertaking annual operational assessments and meeting additional obligations for significant data fiduciaries. These obligations may include appointing a data protection officer and conducting periodic data protection impact assessments. For startups with limited financial resources, balancing data compliance with cost management becomes imperative to ensure sustainable operations.
Read our guide on startup privacy policy for more information.
M&A Impact: The DPDP Act is set to have a significant impact on merger and acquisition (M&A) practices, particularly concerning technology companies. The Act introduces new consent requirements from data principals for transactions involving data-rich entities, posing challenges for M&A transactions. Negotiations on claim limitations may become more complex as parties seek to address uncertainties arising from the new regulatory landscape.
Moreover, technology companies may face potential overregulation as they navigate compliance with both the DPDP Act and sector-specific regulations. This could necessitate a nuanced approach to aligning with diverse regulations on data processing. In cross-border M&A transactions, obtaining the Indian government’s consent may become necessary if the acquirer is based in a government-blacklisted country. As a result, M&A diligence and valuation processes will need to focus more intensely on evaluating compliance with the DPDP Act and ensuring that data protection measures are robust and effective.
Concluding Remarks
The DPDP Act, 2023, marks a significant step towards balancing data protection with regulatory simplicity. While it streamlines obligations for businesses and enhances consumer protections, its efficacy will depend on effective implementation and oversight by the newly established Data Protection Board.
Frequently Asked Questions (FAQs)
Q. What obstacles do Companies encounter when following Data Protection Laws?
A. The obstacles that companies face in complying with data protection laws:
- Regulatory Complexity: Data protection laws are intricate and often undergo changes, posing difficulties for companies aiming to comply.
- Global Operations: Businesses operating in multiple jurisdictions must navigate diverse and sometimes conflicting data protection regulations.
- Compliance with Data Transfers: Transferring data across borders necessitates adherence to specific legal frameworks, adding complexity to international data exchanges.
- Management of Data Subject Rights: Handling and addressing individuals’ rights concerning their data, such as access and deletion requests, can present logistical hurdles.
Q. Why is adhering to Data Protection Laws important for Indian Businesses?
A. Ensuring compliance with data protection laws is vital for Indian businesses because it safeguards the privacy and security of individuals’ personal data. By following these laws and regulations, businesses build trust among customers and stakeholders, reduce the risk of legal penalties and damage to reputation caused by non-compliance, and promote a culture of responsible data handling.
Q. What consequences do businesses face for failing to comply with data protection laws in India?
A. Businesses failing to comply with data protection laws in India may face severe penalties, including fines, sanctions, or legal repercussions, depending on the seriousness of the violation and the specific regulations violated. Moreover, individuals impacted by data breaches might have grounds to seek compensation for any damages suffered. To evade these penalties and uphold trust with customers, it is essential for businesses to strictly adhere to data privacy regulations in India.