Privacy and penalty: Managing business with new data protection law

Stringent legal obligation to prevent breaches has companies reviewing their security practices

Stakeholders of India’s digital economy have their compliance teams scrambling to carry out strategy updates and get practices to align with the country’s first ever law on data protection.

The central government recently notified the Digital Personal Data Protection (DPDP) Act, of 2023. Under it, most firms that deal with data in a digital format — from the largest e-commerce platforms to fintech to IT services firms to ride-hailing platforms to health tech startups — have the legal obligation to ensure the safe collection, processing and sharing of personal data that they receive from their customers.

The law requires platforms to take “reasonable security safeguards” to prevent data breaches. Henceforth, an incident of data breach may lead to an existential threat to their businesses, with penalties of up to Rs 250 crore and a potential blocking of services in case of repeated violations.

The enforcement of the new law will be a major challenge for digital platforms, given the current level of data security preparedness in the ecosystem.

According to a recent study by Cisco, only 24 per cent of Indian organisations have a “mature” level of readiness to withstand modern cybersecurity risks, despite a growing dependency on remote work. What’s more, 90 per cent of companies in India expect cybersecurity incidents to disrupt their business in the next 12-24 months.

“Data privacy is still in its nascent stages in the context of the Indian market; organisations will have to work towards updating their existing processes to embed data privacy principles within their processing activities,” says Lalit Kalra, technology partner at EY India.

According to the Cisco study, almost 80 per cent of Indian organisations experienced some kind of cybersecurity incident in the last 12 months, compared to 57 per cent globally.

Kalra says that organisations would have to invest in privacy enhancing technologies (PETs) and enhance their cyber defence, prioritising individual privacy and organisational security. Hefty penalties may create a deterrence effect and prompt companies to invest more in compliance, he adds.

An AI-enabled health technology company, whose founder does not wish it named, says that it is focused on data minimisation strategies ahead of the enforcement of the law.

“Privacy has always remained a priority for us, but now we are re-looking at our business processes to find ways to provide the same services with a minimal amount of data. We may need to rewrite the data functions from scratch in some cases, but it is better than leaving scope for penalties in future,” says the founder.

To begin the compliance process, every digital platform will need to take unconditional, free, specific, and informed consent from users for collecting their data. Unlike the current practice, where most of the apps pile on thousands of lines of terms and conditions followed by a checkbox, saying “I agree”, the law requires the details of consent to be presented in simple, clear and plain language for the users.

In addition, the data must be used only for the purpose defined at the time of obtaining consent and the notice must be made available in all 22 official Indian languages. Users may also withdraw this consent at any point, after which the platforms must stop processing their data and erase it.

Certain platforms will be notified as ‘significant data fiduciaries’, depending on the volume and sensitivity of personal data, risks to the rights of users, impact on the sovereignty and integrity of India, and so on. Such platforms will have more stringent obligations.

“Small businesses might see significant challenges in compliance if the same standards are expected of them, despite having less manpower and less financial resources. This is especially so if they become identified as a ‘significant data fiduciary’ under Section 10 of the Bill, which would require them to appoint a data protection officer, conduct periodic data audits and perform data protection impact assessments, among others,” says Genie Gan, head of government affairs & public policy for APAC & META regions at cybersecurity firm Kaspersky.

The penalties will be imposed by the Data Protection Board, an adjudicating body to be appointed by the government. Penalties will depend on the nature, gravity and duration of the breach, the type and nature of the personal data affected by the breach, and so on. The board may also impose penalties of up to Rs 200 crore for not informing it about the breach within a stipulated time.

Another category of sensitive data relates to financial services platforms, which will need to keep complying with the Reserve Bank of India’s guidelines in addition to the new law. The fintech platforms need to store the payment system data only in servers located in India.

“As per the new law, we are reviewing the data policy and data collection and consent mechanisms. If required, we will follow the process and take new consent from current and potential customers. We are implementing changes in data collection, record keeping, consent process and allowing the customer to withdraw consent,” says Rohit Pateria, Co-Founder of Lark Finserv, which provides loans against mutual funds.

ZET (previously Onecode), fintech platform that connects partner brands with resellers to sell their financial products and services, believes the act may have a major impact on the way it collects and handles data.

“We maintain strict guidelines on data collection and handling practices to ensure that we are in complete compliance with the law. We are also planning to implement several significant changes to bolster our platform's data security, including implementing a zero-trust security model, investing in new technologies to protect our data and increasing training for our employees on data security,” says Manish Shara, cofounder and chief executive officer (CEO) of ZET.

However, experts say that most global service providers in India such as traditional IT services firms may not need to make significant changes to their practices. This is due to their compliance with privacy laws in other geographies, which have similar requirements.

“The concept of penalty is not new. There have been active efforts towards privacy compliance in India, given that it is a global hub for IT and enabled services, in line with some international laws. Further, a rough plan has been drawn to prepare for penalties that may materialise and corresponding controls that may be used to tackle and deter them. The DPDPB has a more streamlined slab of penalties,” says Sowmya Vedarth, partner at Deloitte India.

“Embracing a ‘privacy by design’ approach integrates privacy measures from the inception of the technology or system development, rather than treating it as an afterthought. It fosters a sense of trust amongst stakeholders and can even accelerate growth opportunities,” Ivana Bartoletti, Global Chief Privacy Officer of Wipro Limited, said in a statement.

What the data protection law does:

• Defines consent, cross-border transfers
• Introduction of 'deemed consent' concept for processing personal data has led to recommendations for refinement
• The law leads to a necessity to obtain consent from data principals at each juncture of data
• Data fiduciaries headquartered in countries that do not receive Indian government’s endorsement will face challenges in cross-border data transfer
• Redefines 'child’
• The law designates individuals younger than 18 as a child
• Data fiduciaries need to acquire verifiable parental consent, refrain from tracking or behavioural monitoring of children
• Inadvertently, it could hinder older children, especially teenagers, from accessing essential services

SECTION 8(1)(J)

• Amendments in this section aim to exempt all personal information from disclosure
• Potentially challenges the prevalent transparency and accountability framework.
• Section’s provisions may lead to potential clash between data protection and open governance

Source: Salman Waris, managing partner, TechLegis Advocates & Solicitors