Data Protection Bill: Experts flag legitimate purposes concern for Big Four

Consulting firms, including the Big Four, which undertake discreet investigative services for audits and risk management, may not be able to process digital personal data under the “legitimate purposes” clause of the Digital Personal Data Protection Bill, 2023. This could impact their conduct at large, said experts.

Global professional services networks Deloitte, KPMG, PwC and Ernst & Young (EY) — also known as the Big Four — provide a range of forensic services for applications, including business crises and disputes.

Processing digital data for intelligence and analytics on behalf of clients is at the core of these advisory solutions.  

According to the Bill tabled in the Lok Sabha, certain legitimate purposes would not require explicit consent from the user. These include employment-related purposes to protect the employer from loss or liability, such as prevention of corporate espionage.

However, consulting firms, which work as third parties, may not be able to avail of this exemption and their clients must seek explicit consent, according to the experts. 

Also Read: Data protection Bill tabled, penalties of up to Rs 250 crore for leaks

“If the processing of data of employees is happening outside the organisation for any purpose, the companies would need to specifically seek consent at the beginning of their contract. For investigative activities, you would never want to take consent from an individual at the time of inquiry. You would not warn the suspects in situations of fraud,” said Salman Waris, managing partner at technology law firm TechLegis Advocates & Solicitors. 

He added that a consent form would be one of the primary aspects of the privacy strategy of any company. And, it becomes more crucial with certain high-risk groups of employees, who handle sensitive financial matters.

The consulting firms have gone into a temporary wait-and-watch mode on certain things in the Bill until a rulebook could clarify it for them.

“We have to see it on a case-to-case basis. For instance, background checks for hiring purposes are announced by the client and consent is taken. But this may not be the case for investigation services,” said Mini Gupta, technology partner at EY India.

Some important forensic service offerings by the Big Four include risk and reputation management. They deal with problems like cyber security threats, fraud and corruption, and regulatory anxieties.

“We would not be a data fiduciary for our clients’ end consumer data. But there is a major role that the Big Four can play in aiding the creation of rules and creating mass awareness. Given the ambiguity, once the law is in force, one would like to make clear what the ground for processing will be,” Gupta said.

Also Read: Once enacted, data Bill to create new functionalities for digital platforms

She added that “Given that there isn’t much clarity, we may like to err on the side of caution. Once the law is in force, it is advisable to wait for the rules and have those conversations with the ministry.”

According to Shreya Suri, partner at the TMT practice of IndusLaw, the onus of protecting the personal information collected from individuals will remain with the data fiduciaries, which in this case refers to the organisations that hire the consulting firms. 

“Ordinarily, it is the responsibility of a data fiduciary to seek consent for any kind of processing of personal data. Third-party data processors can only be involved according to an agreement with the data fiduciary. In this situation, if an employee withdraws the consent after the end of employment, data should not be processed,” Suri said.

However, as per Suri, this could be a gap in the law, because, it may not always be feasible to exercise a withdrawal of consent where data is being processed for legitimate purposes. Consequently, employers could continue to process the data for their legitimate purposes.

On the other hand, consulting firms are optimistic that the data protection law may open up multiple opportunities for them.

“They (professional services firms) can assist in setting up the privacy programme across fiduciaries, and thereafter, in sustaining it.

The Bill also talks about an independent audit and transparent platforms, which would benefit the Big Four in terms of the larger ecosystem,” Gupta said.

At Stake

 Consulting firms may not be fit for new version of deemed consent clause

 Discreet forensic activities, such as fraud detection, to be impacted

 Consent forms must ask employees for permission of external processing

 Global professional services networks like Deloitte, KPMG, PwC, and Ernst & Young may get affected

 Processing of digital data for intelligence and analytics at core of these firms