Digital Personal Data Protection Rules: What’s in Store
The trajectory behind notifying India’s first exclusive Digital Protection Act, dates back to 2017 with the landmark judgment of Justice K.S Puttuswamy Vs. Union of India, [1]recognizing the “Right to Privacy” as a fundamental right and the subsequent formation of the B.N Srikrishna Committee to research on Digital Data Protection.
Following suit with the “big brother” to all Data Protection laws around the world, the General Data Protection Regulation (GDPR), the Draft Bill was released initially for public consultation in November, 2022, but was subsequently withdrawn due to the existence of multiple changes.
Revamped and imbibing an overarching approach, the newly drafted Digital Personal Data Protection Act, 2023 (“DPDP Act”) was notified in August, 2023, after receipt of Presidential assent.
While the DPDP Act was notified, the Digital Personal Data Protection Rules (“DPDP Rules”) are yet to be notified and the incumbent government had stalled the process until the passage of general elections. The past week saw Union Minister, Ashwini Vaishnaw, stating that draft of such rules were in an advanced stage and public consultation would be sought soon.
The 20-pager Act has been drafted in lucid language with comprehensive illustrations, and uses the pronoun, “she”, in a first.
Upon close reading, however, the Act presents certain areas wherein additional clarification is expected and hopefully the notification of DPDP Rules would substantially mitigate them.
This Article delves into the parts where clarity is required, for effective implementation of the Data protection law:
1. Obligations of a Consent Manager: The DPDP Act helps to simplify it for a Data principal to accord and withdraw his consent, with the help of a Consent Manager. Although Section 13 of the Act specifies for Data principals to have the right to redress individual grievances against Consent Managers, any obligations or pecuniary liabilities arising in the event of breach of duty by such Managers have not been outlined out.
2. Clarity on Employer’s Liability: The advent of technology and Artificial Intelligence (AI) led office management software’s have largely led Data Fiduciaries to dump their employees’ personal data on such platforms, without seeking express consent. While the DPDP Act entrusts such Corporates with the responsibility of being a “Data Fiduciary”, Section 7 of the Act specifies that separate consent is not required to be sought in the event of processing of personal data – “For the purposes of employment.”
This provision leaves it wide-ended- are Data Fiduciaries not required to seek any consent for processing of employee’s personal data or are they not separately required to seek consent each time such data is being processed for an employment purpose? The logical approach to this would be seeking a one-time notice from the Employees, possibly at the time of signing the Employment Agreement.
Further, the Act specifically uses the word- “Employment”– whether interns, contractual or part time workers are involved, is a decision that Data Fiduciaries are to determine.
3. Independent Data Auditor: Section 10 of the Act establishes the obligations of a Significant Data Fiduciary and the lays down the criteria to decide whether a Data Fiduciary is eligible enough to be categorized as “significant”.
The proviso throws light upon the appointment of an Independent Data Auditor, entrusted to conduct periodic Data Audit
The qualifications required to be eligible as a Data Auditor are yet to be specified and if the same is touched upon in the DPDP Rules, this shall be another impressive domain opening up for Eligible Professionals.
4. Perils of Cross-Border Data Transfer: Unlike the GDPR, the Act permits Data Fiduciaries to initiate cross-border transfer of digital personal data, except in countries which the Central Government expressly bans. However, the liberty to engage in cross-border transfer is slightly alarming since it’s difficult to monitor if the data being transferred internationally is passed on further to any of the specifically banned nations. The DPDP Rules should take into account the afore-stated factor and lay down specific contractual clauses/rules to be abided.
5. Independence of Data Protection Board: The Apex body responsible for functioning as a Quasi-Judicial Executive Body to protect the interests of the Data Principals is to consist of a Chairperson and other members, as may be elected by the Central Government. It is expected of the DPDP Rules to further mention the quantum of such number of members.
The retention of power to appoint members on the Data Protection Board (DPB) of the Central Government’s own accord, raises questions on the Independence of the Executive body.
Section 19 of the DPDP Act further states that such members should possess adequate knowledge/ experience, “in the fields of data governance, administration or implementation of laws related to social or consumer protection, dispute resolution, information and communication technology…” and at least 1 of the members should be an expert in law. This is a tad bit unnerving since adjudging and delivering judgments requires lawyers having honed their skills in court practice, instead of members having mere experience in law.
Once the DPDP Act is put into practice and data breaches being the depressing realty, a number of cases are expected to pop up, even in the farthest corners of India. Establishment of jurisdiction wise boards, similar to the operations of the National Company Law Tribunals (NCLTs) would be more effective in a quicker handling of complaints.
6. Tenure of litigation: Unlike the 2022 Draft, entrusting the jurisdictional High Courts to function as the respective Appellate Authorities, Section 29 of the released DPDP Act delegates the power to the Telecom Disputes Settlement and Appellate Tribunal (“TDSAT”). On repeated accounts[2], the Tribunal’s effectiveness and independence has been concerning, further shielding the independence of the Board. Additionally, the litigations are expected to be prolonged due to the TDSAT being already burdened with its fair share of Telecom related Disputes.
7. Timeline for Personal Data Breach notification: The Act specifies personal data breach to be, “any unauthorised processing of personal data or accidental disclosure, acquisition, sharing, use, alteration, destruction or loss of access to personal data that compromises the confidentiality, integrity or availability of personal data…”
While the GDPR specifies for breaches of digital personal data to be notified within 72 hours of occurrence to the supervisory authority, the existing DPDP Act remains silent on the timeline. Establishment of specific timelines shall quicken the reporting and redressal process, to a significant extent.
8. What’s in it for MSMEs: One of the biggest challenges in the implementation of the Act would be reaching out to the Micro, Small and Medium Sector Enterprises (MSME) and implementing the Act at ground level. Since compliance of the Act would be mandated for any enterprise collecting and storing personal data in digitized form, it is crucial for MSMEs to be prepared with adequate SOPs detailing out the manner of implementation of the Act. However, the cost associated in ensuring adequate compliance is surely going to “cost an arm and leg” for the MSME sector. In the absence of pecuniary incentives, it is a tough task – both on the part of the professionals and the implementing agencies- to convince and reach out to MSMEs at large.
Thus, with bated breath, stakeholders look forward to the notification of the DPDP Rules and the implementation of India’s first exclusive data protection law. The beneficiaries of the Act and Rules would be a significant chunk of the population- ranging from educational institutions to healthcare providers- basically any “person” [3]retaining digital personal data. The onus of implementation is largely on the DPB, however, competent professionals should consider this as an untapped domain and ensure arranging for adequate training and awareness sessions. If implemented responsibly, we shall edge towards a digitally safe and secure nation.
[1] https://translaw.clpr.org.in/wp-content/uploads/2021/12/Justice-K.S.-Puttaswamy-.pdf
[2] https://indiankanoon.org/doc/1152518/
[3] Refer Section 2(s) of the DPDP Act, 2023