Operationalizing India's new data protection law: The challenges, opportunities ahead

In August 2023, India enacted the Digital Personal Data Protection Act 2023, a landmark law reshaping the country's data protection landscape. The rules of the DPDPA are expected to be published by the Indian government for public consultation soon, operationalizing some DPDPA provisions.

Once published and enforced, the DPDPA will result in a quantum leap towards achieving a more robust data privacy framework, reflecting global trends and addressing unique challenges in India's digital economy.

For businesses operating in India, understanding and adapting to these changes is crucial.

The DPDPA applies to the processing of personal data in digital form within India, as well as outside India in connection with offering goods or services to individuals in the country. It applies to data fiduciaries, that is, entities determining the means and purposes of processing personal data either alone or jointly with others, akin to data controllers under the EU's General Data Protection Regulation.

The rules under the DPDPA are widely anticipated. Considering the DPDPA's provisions are expected to be prescribed through delegated legislation, the rules are likely to clarify key aspects.

Consent framework

The DPDPA envisions a consent-oriented approach, requiring data fiduciaries to obtain the "free, specific, informed, unconditional and unambiguous" consent of data principals — similar to "data subjects" under the GDPR — prior to processing their personal data, except for certain legitimate uses.

The rules are expected to formulate how such consent is to be obtained to satisfy the DPDPA's consent standard. The rules are reportedly expected to introduce "consent artefacts" to unbundle existing consent requests, making them more specific, informed and unconditional, so the exercise of choice by the data principal is real and meaningful.

Consent artefacts may enable granular exchange of consent, while also making it possible for data fiduciaries to make consent obtained from data principals an auditable record for the purpose of demonstrating compliance with consent requirements.

The DPDPA also introduces "consent managers" as unique players within the data protection framework, being entities enabling data principals to give, manage, review and withdraw their consent through an interoperable platform.

The rules are also expected to clarify the technical and operational conditions, as well as accountability obligations, applicable to consent managers. This may have a significant bearing on the business model of consent management as a service.

Exemptions

The DPDPA rules are expected to provide much-needed clarity on the exemptions provided under the law.

Under the research exemption, personal data can be processed for research, statistical or archival purposes without complying with DPDPA requirements, such as obtaining consent for such processing. In this context, the rules may also define the scope of permissible research activities and outline the standards that need to be abided by while undertaking such research.

The rules may clarify exemptions relating to processing of children's personal data by certain data fiduciaries specifically designed for children, where obtaining parental consent for every interaction may not be practical or necessary. These exemptions are likely to be strictly regulated, ensuring the interests of children are safeguarded, while allowing some flexibility for entities catering to the needs of younger audiences.

The rules may also specify the circumstances under which data processing for children can be carried out without obtaining verifiable parental consent. From a policy perspective, it may be prudent for the rules to exempt certain data fiduciaries, such as online platforms, from restrictions against monitoring children's activities in certain cases. These include instances where processing of children's data is undertaken in the interest of child safety or to prevent children from harm, for instance, to ensure inappropriate content is not directed at children.

Breach reporting

The rules under the DPDPA will likely stipulate the maximum time frame within which a "personal data breach" must be reported to the Data Protection Board of India — the enforcement body under the DPDPA — as well as to data principals.

According to reports, the rules may align breach reporting timelines with other international standards, such as those under the GDPR, which require notification within 72 hours of becoming aware of the breach.

Additionally, the DPDPA rules may outline the required content and format of breach reports. Clarifying the timelines and reporting requirements will help businesses establish clear protocols for responding to data breaches, consequently minimizing the risk of noncompliance and ensuring swift action to protect personal data.

Businesses will also need to consider streamlining reporting requirements across various laws, including the DPDPA, requirements imposed by the Computer Emergency Response Team India, as well as sectoral regulators, where applicable.

It is unclear if the rules will introduce any materiality threshold — such as that which is harm-based — for breach, especially considering the absence of such a threshold within the text of the DPDPA itself.

Retention period

The DPDPA imposes a data minimization requirement on businesses, requiring erasure of personal data once the purpose of collection has been served. This makes retention periods based on the classification of various categories of personal data within an organizational inventory a critical component of compliance.

The rules may clarify retention periods for personal data processing for certain purposes depending on its context.

Gearing up for the new regime

As publication of the DPDPA rules nears, businesses may consider taking steps to transition to this new data protection regime.

The DPDPA requirements should seamlessly permeate within the entire organizational framework across its hierarchical structure — from key managerial personnel to on-ground staff routinely handling personal data. Regular training, simulation exercises and workshops can help in attaining a strong grasp over the complexities of this new law, helping internalize a strong culture of privacy.

Data discovery and mapping. Businesses will need to carry out a comprehensive data discovery and mapping process to ensure the appropriate identification and classification of personal data within various departments of organizations.

This will aid effective data inventory management which, in turn, will facilitate compliance with various obligations under the DPDPA and its rules. While this may seem straightforward, it may be a mammoth task for legacy businesses processing vast amounts of data historically collected in unstructured form.

Reviewing existing policies and practices. Businesses will need to review existing data governance and management policies and identify appropriate changes to align with the DPDPA and its rules.

For multinational companies, this may involve identifying the "delta" required in existing global policies and practices. For instance, while the GDPR permits "legitimate interests" and "contractual necessity" as lawful bases for processing personal data, under the DPDPA, consent appears to be the foremost lawful basis with limited leeway available through alternatives as "certain legitimate uses."

Existing privacy notices, for example, may have to be revisited wherever consent is the basis for processing personal data, to ensure compatibility with both the DPDPA as well as the rules.

Implementing robust consent mechanisms. There will be a need to develop systems that enable obtaining granular consent, with the ability to manage and withdraw consent easily, in accordance with the mechanism for exchanging consent under the rules.

To demonstrate compliance with consent requirements, businesses may also be required to establish a mechanism to log or record each instance of consent exchange, which in turn may warrant a considerable technology lift, depending on existing consent practices.

Reviewing existing and prospective contractual arrangements. The obligations under the DPDPA and its rules do not directly apply to data processors processing personal data on behalf of — that is, pursuant to instructions from ― data fiduciaries.

Instead, data fiduciaries are required to ensure not only their own compliance, but also that of data processors processing personal data on their behalf. Consequently, businesses will have to revisit existing contractual arrangements with third parties including technology service providers ― such as cloud service providers ― suppliers and contractors, to appropriately pass down obligations under the DPDPA, as well as ring-fence their liability for noncompliance attributable to third parties.

Remain informed, proactive

As privacy consciousness increases with enforcement of the DPDPA, a business's privacy practices will greatly influence consumers' choice in picking products and services in India's competitive digital economy.

As a result, complying with the DPDPA will be not only a legal obligation, but a strategic imperative  to enhance consumer trust and sustain brand reputation.

As the rules under the DPDPA are being finalized, it is essential that businesses remain informed and proactive in adapting to India's dynamic regulatory environment.

Supratim Chakraborty is a partner and Siddharth Sonkar is a senior associate at Khaitan & Co. The authors would like to thank Abhishek Tiwari for their assistance with this article.