DPDP Rules: Clarity needed for effective implementation
INTRODUCTION
The Digital Personal Data Protection Act, 2023 (“DPDP Act”) received the assent of the President on August 11, 2023, but it is yet to be implemented. Being the first legislation to outline a comprehensive framework regarding digital personal data protection, the Government provided sufficient time for major industries to prepare for the transition. Currently, the industry players are anticipating the rules expected to provide the much-needed clarification for effective implementation of the DPDP regulations.
As we await the release of these rules, here are few crucial issues that the rules are expected to clarify.
1. Over-the-Counter Consent
Under the DPDP Act, the conditions for obtaining ‘consent’ from a data principal for data processing are stringent. The consent must be free, specific, informed, unconditional, unambiguous, and must involve a clear affirmative action to signify agreement of the data principal to process her data for the
specified purpose. However, rules should provide a mechanism for obtaining consent when consent is provided over the counter. For instance, in terms of illustration (I) under Section 7(a), where the consent is sought by an individual verbally in a pharmacy, there are no electronic records to establish that the consent was actually given. Only an electronic receipt is provided to the individual to acknowledge payment. There is no other recorded transaction to establish that consent, in this case, was given.
The transaction related to giving of a ‘notice’ by the data fiduciary to the data principal for obtaining consent for a specified purpose cannot be undertaken verbally. If a ‘consent’ is neither given electronically nor in any other recorded form, withdrawing the consent, altering it or exercising any other rights related to the ‘consent’ would be difficult. Establishment of affirmative action on the part of the data principal would be difficult to prove. As such, a mechanism to address such transactions must be devised keeping also in mind the financial impact on small businesses.
2. Clarity on Consent Manager
Under the DPDP Act, a consent manager (“CM”) is to be deployed to act as a single point of contact, through an interoperable platform, to enable a data principal to give, manage, review and withdraw her consent. As the name suggest, a CM is exclusively present to act on issues related to ‘consent’. If the rules do not clearly define the accountability, obligations, and registration requirements for a CM, it could lead to significant adverse impacts. Without explicit guidelines, third-party CM may not adhere to consistent standards for managing and documenting user consent, leading to potential mishandling of consent requests. This ambiguity can result in incomplete or inaccurate consent records, which can compromise data principals’ rights and undermine the integrity of consent processes.
Furthermore, the lack of defined registration and accountability requirements could lead to inadequate oversight of CM, making it difficult to hold CM accountable for non-compliance or errors. This can expose data fiduciaries to legal risks, including fines and penalties for failing to comply with data
protection laws. Additionally, data principals may experience confusion and mistrust if their consent is not managed in a transparent and reliable manner, ultimately damaging the fiduciary’s reputation and operational effectiveness.
Section 13 directs both the data fiduciary and the CM to provide a grievance redressal mechanism to the data principal. This is an overlap of responsibilities that could lead to uncertainty for the data principal. Hence, the responsibilities of both the data fiduciary as well as CM should clearly be chalked out with separate set of rules.
3. Pre-hiring and Post Employment Transactions
Under the DPDP Act, digital personal data can be processed either upon obtaining consent from the data principal or for certain legitimate uses. Legitimate uses include data processed by an employer for the purposes of employment or safeguarding the employer from loss or liability related to such employment. However, the term ‘purposes of employment’ is wide in nature, and it may be assumed that such purposes may even include pre-hiring and post-employment scenarios.
If such is the case, it is of utmost importance that rules should provide clarification on handling of such data under pre-hiring and post-employment scenarios as there could be cases of misuse of such data. Such scenarios may very well be brough under the condition of obtaining consent and a mechanism can be set forth.
4. Mechanism for Data Breach
The DPDP Act makes it obligatory for the data fiduciary to report to the Board and the affected data principal about any data breach in the manner as may be prescribed. Currently, companies are required to report within 6 (six) hours, any data breach to Indian Computer Emergency Response Team (CERT In) as per the directions under Section 70B (6) of the Information Technology Act, 2000, dated April 28, 2022 (the “Directions”).
While the DPDP Act shall prescribe the manner of such reporting in the rules, there is a possibility that the Directions and the DPDP obligations may co-exist which is why the rules will have to take into consideration the Directions and frame the requirements in tandem to ensure that the data fiduciary is not burdened by multiple obligations.
5. Safeguards and Standards for Cross-Border Data Transfer
The DPDP Act allows data fiduciary to transfer personal data for processing to territories outside India unless the Government restricts transfer to certain specified countries through notification. Before engaging in such transfers, data fiduciaries must ensure the establishment of comprehensive contracts detailing responsibilities and liabilities associated with data transfers. For instance, the General Data Protection Regulation, 2016 (“GDPR”) includes standard contractual clauses tailored to the roles of involved parties in such contracts.
The rules should provide for similar clauses to safeguard data during cross-border transfers and provide guidance to data fiduciaries while undertaking such transfer.
6. Mechanism for Classification as ‘Significant Data Fiduciary’
Section 10 outlines that the Government has absolute and discretionary power to categorise any data fiduciary as ‘significant data fiduciary’ basis certain factors such as volume and sensitivity of personal data being processed, risks to the rights of data principal etc. Once the Government categorises a company as a significant data fiduciary, the DPDP Act provides no recourse to request the Government to review or reconsider its decision. Therefore, it becomes extremely essential for the Government to provide for mechanism basis which the decision to declare a data fiduciary as significant data fiduciary will be concluded. For the reason that the DPDP Act provides additional compliances leading to significant financial obligation as significant data fiduciaries, the companies being categorised as one, should have the right to know the criteria for such designation.
Upon implementation of Goods and Service Tax Act, 2017, there was no mechanism provided to establish profiteering by companies which lead to unnecessary but avoidable litigation. Perhaps a set of clear conditions for identification of significant data fiduciary may be the need of the hour.
CONCLUSION
As India Inc. gear up for India’s forthcoming data privacy landscape, clarity and precision in the framework will be crucial in fostering trust and compliance within India’s developing data protection regulation. To this end, the rules are going to play a crucial role and clarity on various fronts is expected once they are made public for stakeholder discussions.
By Rashmi Deshpande, Aarushi Ghai and Renee Gohil
