August 18, 2023
1. Introduction
In our previous post, we dealt with the scope of the Digital Personal Data Protection Act, 2023 (DPDP Act), the potential impact of consent as primary processing basis, and how Data Fiduciaries are likely to engage with Data Processors. In this second post, we aim to analyze Data Fiduciary’s obligations, Data Principal’s rights, and the potential consequences for non-compliance with DPDP Act.
2. What are the key obligations of Data Fiduciaries?
DPDP Act codifies several obligations for Data Fiduciaries. The majority of it is worded as principle-based obligations versus a detailed narrative of what such obligation encompasses. This makes it imperative that each entity identifies the constituents that will help them substantiate compliance with DPDP Act, and a “one-size-fits-all” approach may not work. The key ones are discussed below:[1]
- Data Fiduciaries must implement “appropriate technical and organizational measures” to ensure “effective observance” of DPDP Act.
What qualifies as appropriate measures have not been elaborated, and there is flexibility with each case being evaluated on its specific facts. Towards this, the Data Protection Board of India (DPBI) recognizing certain standards, certifications, or codes of conduct as the recommended threshold would massively help organizations. Similarly, DPBI should also consider issuing guidance notes similar to Article 29 Working Party opinions under EU GDPR to enable businesses to better grasp this aspect. But until such time, the task has been left to Data Fiduciaries to determine and implement appropriate measures.
Technical measures are the physical and technological measures deployed on an entity’s systems and networks, such as firewalls, VPNs, time stamps for access control, two-layer security authentication, pseudonymization, encryption, physical access security, password protection, etc.
Organizational measures comprise the internal policies, methods, standards, and practices that entities use for protecting data, such as retention, access control, vendor onboarding, business continuity, disaster management, backup, quality control and knowledge management, information security management, and information assets confidentiality policies.
So, what should be the approach? Here, businesses must consider (i) the origin, nature, scope, context, and purpose of processing, (ii) the core principles for fair processing i.e., data minimization, purpose limitation, storage limitation, integrity and confidentiality, lawfulness and transparency, and accountability, (iii) the personal data (PD) processed, (iv) state of art for privacy enhancement tools (PETs) and other tech tools, (v) associated costs, and (iv) the risks involved in processing such PD i.e., the risk of loss that Data Principal could be subjected to due to processing.
This very well could translate into a one-time data protection impact assessment study for businesses stretching over physical, organizational, operational, and technological measures used in the processing lifecycle, followed by periodic assessment of the continued efficiency of implemented measures. Similar exercises should also be conducted while engaging down-the-line Data Processors.
For example, let us take the hypothetical where a financial institution onboards a fintech to analyze data and provide cash-flow forecasting, which is then offered as a service by the bank to its customer running small businesses. This would help the customer as well as the bank to evaluate where loan products can be offered. Typically, for this use case, the fintech would be allowed access to the customer’s full transaction data, resulting in a breach of the data minimization principle, and creating a possibility for misuse without consent. In this situation, it may be worthwhile for the bank to deploy a secure multiparty computation system[2] to only provide access to essential data points without exposing the entirety of transaction data.
- Data Fiduciary must take “reasonable security safeguards” to prevent “PD breach” for all PD that it controls or possesses, including those being processed by Data Processors.
This obligation is a derivative of the generic obligation to implement appropriate technical and organizational measures.
PD breach means any unauthorized or accidental processing of PD that compromises the confidentiality, integrity, or availability of PD. The definition of PD breach is wide, and not connected with loss or gain that is caused to Data Principal or a third party, but focused on preserving the sanctity and usability of PD. This is in line with PD breach as understood in most jurisdictional data protection laws.
Reasonable security safeguards are not defined, and again, DPBI’s approval of certain standards and advocacy drives will be beneficial for businesses. But the concept is not new for entities doing business in India. At present, SPDI Rules state that an entity would have complied with reasonable security practice requirements where it has (i) put in place a comprehensive and documented information security policy that contains details on managerial, technical, operational, and physical security control measures, (ii) implemented such policy, and (iii) the security measures commensurate with the information assets protected and nature of business. It also states that compliance will be deemed if the entity follows IS/ISO/IEC 270001 on IT – Security Techniques – Information Management System Requirements, and is being audited at determined periodicity.
Applying the existing state of law to DPDP Act’s requirement, it can be deciphered that the reasonableness of security measures will depend on whether such measures are effective in the face of risk inherent in processing PD. This is a good place to start for those who were outside the purview of SPDI, or plain ignorant. Immediate action steps would involve devising an infosec policy, determining desired security measures, and implementing them. While doing so, entities must pay closer attention to similar factors as discussed for appropriate technical and organizational measures. Even for those with established processes, a review is in order.
- Where a PD breach occurs, Data Fiduciary is obligated to notify DPBI and each affected Data Principal.
The manner and form for such notice will be provided in the rules. As it stands today, a data breach is a cyber incident that must be reported to the India Computer Emergency Response Team (CERT-In) within 6 hours of first knowledge about the breach. There is no obligation to notify affected individuals, although many organizations do follow the practice due to requirements under foreign laws, or as a matter of good data governance practices.
With the implementation of DPDP Act, additional notifications must be sent to DPBI and Data Principals. This is a significant move to safeguard an individual’s informational privacy and enable their empowerment concerning their data sets. Quite naturally, this is a measure to ensure transparency and accountability.
- Data Fiduciary is required to ensure “completeness, accuracy, and consistency” of PD that is likely to be processed for decision-making concerning the Data Principal, or where PD is disclosed to another Data Fiduciary.
This stems from the well-acknowledged protection obligation as can be seen in different jurisdictions. But DPDP Act calls out this as an absolute mandate if the two use cases of PD processing are involved. This can prove quite onerous for businesses, and DPBI should issue suitable clarifications.
To understand this, let us consider a comparable requirement that can be found in Singapore data protection law – it requires that organizations take reasonable efforts to ensure that personal data that is likely to be used for the decision-making process or shared with a third party is accurate and complete. Here, the efforts have to be reasonable. For example, if the organization has been regular in conducting data inventory exercises, enabled consent management mechanisms, and sent multiple reminders to the individual data subject through different modes of communication seeking confirmation on their PD, the organization’s reasonable efforts can be substantiated.
Should the accuracy obligation be interpreted in absolute terms as suggested by the existing language used in DPDP Act, an unachievable standard would be set-out that could potentially mean significant limitations on how PD is shared with other Data Fiduciaries.
- Data Fiduciary shall “not retain and erase PD” (i) Data Principal has withdrawn consent, or (ii) as soon as it is reasonable to assume that the specified purpose is no longer being served, whichever is earlier.
When erasing because consent has been withdrawn, a business must analyze whether the specified purpose is completed or not. If the specified purpose has not been completed before consent withdrawal although some actions have been performed, then, Data Fiduciary can continue to process PD to fulfill, but immediately erase thereafter. For example, where a Data Principal consents to the processing of PD on an e-commerce platform, places an order and makes the payment, and thereafter, withdraws their consent; here, the specified purpose needs to be completed by the e-commerce platform and to that extent, can continue processing PD, after which they must delete it.
Concerning the (ii) point, the assumption will arise if Data Principal does not approach the Data Fiduciary for the performance of the specified purpose, nor do they exercise any of their Data Principal rights (as discussed subsequently) for such duration as may be provided in the rules. For example, where a Data Principal creates an account on an e-commerce platform and consents to the processing of PD, but never uses the account or places an order on the platform, it can be reasonably assumed that the purpose is no longer been served.
The only exception to this obligation is the retention of PD as required for compliance with any applicable law. For example, Income-Tax Act authorizes tax authority to send notice to taxpayers within 7 years from the end of a financial year. Typically, these processes would require taxpayers to provide documents under such notice. This necessitates the need to retain tax-related documents, which can contain PD like financial information such as tax deduction proof, identification numbers, etc. So, a business can continue to retain to comply with taxation law requirements.
Nonetheless, the thumb rule is to implement the storage limitation principle. Entities must in the course of their data mapping exercises, identify, and devise selective data retention policies and processes.
- Data Fiduciary must publish the business contact information of its representative who would communicate with and respond to queries from the Data Principal. Where DPDP Act mandates the appointment of a Data Protection Officer (DPO), the DPO will be the representative in this regard.
- Data Fiduciary must establish an effective grievance redressal mechanism e., a readily available, and easy mechanism to redress grievances of Data Principal concerning breach of their rights under DPDP Act (as discussed subsequently), or that of an obligation on the Data Fiduciary. The response timeline for such grievance has been left to rule-making.
3. What are the additional obligations for Significant Data Fiduciaries?
DPDP Act empowers the Central Government (CG) to notify some Data Fiduciaries as Significant Data Fiduciaries (SDFs) basis assessment of relevant factors like (i) volume and sensitivity of PD processes, (ii) risks posed to Data Principal’s rights due to processing, (iii) potential impact on sovereignty and integrity of India, (iv) risk to electoral democracy, (v) state security considerations, and (vi) public order. While it is hard to forecast who are likely to be notified as SDFs, the previous drafts indicated that social media intermediaries may be notified in this category. Further, certain indicative factors that appeared in previous drafts such as turnover and use of new technology have been dropped.
What is clear at this point is that while DPDP Act applies to all kinds of PD, certain PD for all practical purposes will continue to be viewed as sensitive sets, with higher harm and risk matrix, like health, biometrics, and financial data. So, organizations that have already maintained historical classifications under SPDI Rules should be cautious while deciding to do away with old practices in their entirety. For those who do not have such classification, it may be relevant to conduct a preliminary assessment of underlying PD’s sensitivity.
Should an entity be notified as SDF, it will have to comply with certain additional obligations; these are briefly captured below:
- appoint a DPO who shall represent the SDF for DPDP Act; in terms of qualification, DPO must be based in India, responsible to the board or governing body of the SDF, and responsible for grievance redressal mechanism;
- appoint an independent data auditor to carry out data audit on the SDF for evaluating compliance with DPDP Act;
- conduct periodic audits apart from the statutory audit through the independent auditor; and
- conduct Data Protection Impact Assessment (DPIA); the details of what constitutes DPIA process have been left to rule-making, but it is abundantly clear that DPIA process is likely to follow the spirit of impact assessments as conducted under other jurisdictional laws and aimed at assessment and management of risk associated with PD processed bearing in mind the processing purposes and Data Principal’s rights.
Apart from the above, DPDP Act empowers the CG to come up with new obligations for SDFs.
4. What are Data Principal rights?
It is a common misconception that SPDI Rules do not provide the concerned individual any rights about their data. This can be largely attributed to low awareness. At present, SPDI Rules provide for rights to access, correction, consent withdrawal, and grievance redressal.
DPDP Act retains most of the old wine in new bottles and makes incremental expansion on Data Principal’s rights. It is important to highlight that the rights can only be exercised where consent is the basis of processing. They cannot be exercised where PD has been processed on legitimate use grounds such as for law enforcement, prevention of crime, providing treatment during emergency, etc. The Data Principal’s rights are:
- right to withdraw consent i.e., Data Principal can choose to withdraw consent, and must have similar and comparable ease for withdrawal as was deployed for obtaining their consent; we did a detailed analysis of this right in our previous post;
- right to access being the Data Principal’s right to obtain (i) a summary of PD processed and processing activities undertaken, (ii) identities of third parties with whom PD has been shared and description of PD shared, and (iii) other information as will be provided in the rules;
- right to correction, completion, and updating of processed PD;
- right to erasure of processed PD, unless retention is required for specified purpose or compliance with applicable law;
- right to grievance redressal as discussed earlier;
- right to nominate another individual who shall act for the Data Principal upon death or incapacity of the Data Principal;
- right to complain to DPBI, but before exercising this right, Data Principal must seek redressal through Data Principal’s grievance redressal mechanism.
DPDP Act is silent on how these rights would be exercised, and perhaps, rules would elaborate on matters such as what happens when there are repeated access requests, whether Data Fiduciaries can charge any fee, what forms have to be used, etc.
While these get hashed out in the future, organizations need to acknowledge that Data Principal rights and mechanisms to honor them are a critical aspect of DPDP Act. With this, it will be timely to start working on policies to set up internal processes and evaluate the deployment of suitable data subject access right tools.
5. Penalties
DPDP Act provides for steep penalties with the intent of deterring breach of its provisions. As of date, there are rare and countable instances where a breach of SPDI Rules has resulted in the payment of compensation or fines. But, with the implementation of DPDP Act, status quo is likely to change, and hence, preparing for compliance is of paramount importance.
Before levying penalties, DPBI is obligated to undertake prima facie evaluation of the merits, conduct inquiry proceedings into the alleged breach, and follow principles of natural justice. While performing this role, DPBI will be considered a quasi-judicial body with the powers of a civil court such as examining on oath, calling for evidence, conducting inspection, etc. Orders passed must be reasoned orders. These can be appealed against to the appellate tribunal.[3]
Where DPBI through inquiry finds that the breach is “significant”, it will provide another hearing opportunity, and can then proceed to impose penalties. So, a sine qua non will be a finding on the significance of the breach. Here, factors that are likely to be considered would include (i) nature, gravity, and duration of the breach, (ii) type and nature of PD affected, (iii) repetitive pattern, (iv) whether there has been a gain due to the breach, (v) what mitigation steps have been taken, (vi) what would be a proportionate and effective penalty, and (vii) the likely impact on the person. The penalty will be as per the following limits, but these can be changed or added upon at a later stage:
- breach of obligation to implement reasonable security measures for preventing PD breach = may extend up to INR 2.5 billion;
- breach of obligation to notify PD breach to DPBI and affected Data Principal = may extend to INR 2 billion;
- breach in complying with additional obligations while processing children PD = may extend to INR 2 billion;
- breach by SDF in complying with additional obligations = may extend to INR 1.5 billion;
- breach of any other provision = may extend to INR 500 million.
6. Conclusion
While implementation of the DPDP Act could happen in phases, there is a fair bit of housekeeping and background work that entities must focus on. For many, it could be the start of an operational protocol that never existed and can seem overwhelming. Yet, for others, it could mean picking up the existing processes, evaluating their adequacy, and augmenting as needed. A compliance-driven approach may not be ideal. A privacy governance point of view that focuses on informational privacy would likely simplify the process. In the meantime, awareness and sensitization on what and how of DPDP Act should be a top agenda for businesses in India and across.
[1] DPDP Act at Section 17 provides certain exempt categories where some or all of these obligations will not apply. We have not elaborated on these exempt categories
[2] Secure multiparty computing system is a PET that uses cryptography and enables multiple parties to jointly compute their inputs without sharing underlying values. It essentially will mean distributed data without exposing it, using a specified protocol
[3] Telecom Disputes Settlement and Appellate Tribunal established under the Telecom Regulatory Authority of India Act, 1997 will act as the appellate body for DPDP Act.