India’s first comprehensive data protection law, the Digital Personal Data Protection Act (DPDP Act), was enacted in August 2023 to regulate the processing of digitalised personal data of individuals (data principals).
Most significantly, personal data is recognised as users’ property and not a free or proprietary resource of data fiduciaries (entities collecting and processing personal data) and data processors (entities processing personal data on behalf of data fiduciaries).
The DPDP Act permits processing of digital personal data, whether in India or abroad, only with an individual’s consent or for specific legitimate purposes. Although not yet formally in effect, the framework prioritises explicit consent of data principals, and purpose limitations on data processing. Entities, especially data fiduciaries, are subject to stringent data handling standards, increased accountability, and potential monetary penalties of up to INR2.5 trillion (USD30.1 billion) for non-compliance.
Impact across industries
Founding Partner
Kaizen Law
Tel: +91 99 9919 1620
Email: harsh.kumar@kaizenlaw.in
Globally, data created, captured and consumed was 64.2 zettabytes (one zettabyte is equal to a trillion gigabytes) in 2020, according to a 2023 study published by Petroc Taylor on Statistica.com. By 2025, it is predicted to exceed 180ZB.
Accordingly, with increasing internet penetration in India and consumption of massive amounts of online content, the DPDP Act will impact all industries across sectors that handle substantial personal data volumes. These include research, fintech, education, healthcare, IT-ITES, e-commerce, telecoms, marketing and advertising.
Against this backdrop, this article explores crucial aspects of the DPDP Act that merit attention for technology companies functioning as data fiduciaries or data processors.
Compliance challenges
Technology companies must revamp their data processing practices to effectively align with the DPDP Act, undertaking detailed risk assessment of their operations to establish a bespoke compliance framework and budgets for recurring data protection compliance.
Costs for upgrading their existing technological safeguards for protecting users data will likely increase to meet requirements, not only for creating accessible, transparent and interoperable technology for recording and managing the consent of individuals to use their data, but also users’ rights to edit or erase such data with ease.
Training supervisory staff for data processing supervision, liaising with data principals and consent managers (registered with the Indian Data Regulator for data principals) to provide, manage and withdraw their consent for timely grievance redressal would be costly, too, along with undertaking annual operational assessments.
Furthermore, once rules under the DPDP Act are notified, significant data fiduciaries would face additional obligations, including mandatory appointment of a data protection officer, and undertaking periodic data protection impact assessments.
Therefore, the need to balance data compliance with managing costs becomes imperative for entities such as startups, which are often data guzzlers with high cash burns.
M&A impact
Associate
Kaizen Law
The DPDP Act would significantly influence existing practices associated with M&A of technology companies. The need for voluntary and unambiguous consent of data principals – along with the DPDP Act’s emphasis on purpose limitations for processing personal data – pose additional consent requirements from data principals for consummating a share acquisition or business/asset transfers involving data-rich technology companies.
Currently, section 17(1)(e) of the DPDP Act dispenses consent requirements of data principals only for transactions approved by a court/tribunal or similar competent authority.
Accordingly, M&A transactions not covered by section 17(1)(e) may require data principals’ fresh consent, increasing time, costs and deal uncertainty. Any expense and time overrun in seeking fresh consent from data principals may be a significant consideration for transacting parties to adopt court-driven restructuring of technology companies instead of share or business acquisitions. In exempted M&A transactions, too, the disclosure of personal data of a target’s customers and employees at the due diligence stage itself, and not posting the tribunal’s approval, may necessitate fresh approval of data principals.
New market practices may emerge for undertaking diligence on technology companies in phases, or even post-deal consummation, with appropriate valuation adjustments post-closing to ensure no data principal’s approval is required as a condition precedent to the transaction closing. Further, in cross-border M&A transactions, the Indian government’s consent may be necessary if the acquirer is in a government blacklisted country.
Diligence and valuation
Diligence on technology companies will focus on meticulous evaluation of their overall compliance with the DPDP Act. There will be increased focus on the target’s compliance with existing data processing agreements, their consent mechanisms for data processing, and safety and security protocols for data stored.
The valuation of technology companies may also be significantly affected by their historical non-compliance with the DPDP Act, with acquirers seeking more extensive representations and warranties from the sellers of target companies.
Significant monetary implications under the DPDP Act for non-compliance would also result in broadly scoped indemnities to cover acquirers from unforeseen risks, for example data leaks, even absent any significant non-compliance by a target.
As a result, negotiations on claim limitations – including the caps, sunset period for representations and warranties, and knowledge qualifiers – would be subject to increased negotiations between the parties, prompting more use of warranty insurance structures.
Multiple regulators
Technology companies such as fintechs regulated by existing sectoral regulators like the Reserve Bank of India, must navigate compliance with both the DPDP Act and sector- specific regulations.
Possibly, in the short term – and until the regulators streamline their respective regulatory guidance – there may be potential overregulation of technology companies, necessitating all dual-regulated entities to evolve a more nuanced approach for aligning with varying regulations on data processing.
Building internal frameworks
The DPDP Act permits the processing of personal data with the consent of data principals or for specific legitimate uses, such as compliance with judicial orders or responding to medical emergencies. However, situations not prescribed as legitimate data processing use would require data fiduciaries to rely on data principals’ consent to process their data.
Until best practices emerge on the degree of autonomy that data fiduciaries have for processing personal data without complying with notice and consent requirements, data principals need to evolve their internal framework for legitimately using individuals’ data, and the manner and terms for demonstrating their compliance with the DPDP Act.
The obligations of data fiduciaries will be more profound when processing the data of children with verifiable parental consent.
Furthermore, data fiduciaries cannot dispense with general obligations under the DPDP Act merely by seeking a contractual waiver from a data principal, or citing non-compliance by a data principal with its legal responsibilities.
This makes it all the more significant for technology companies to evolve a bespoke framework for seeking the consent of data principals, and recording it for evidence according to requirements of their businesses.
Renegotiating agreements
The DPDP Act places responsibility of safeguarding the personal data of data principals shared with the data processors on data fiduciaries. Therefore, data fiduciaries will need to renegotiate existing agreements with their data processors to comply, or frame new agreements with data processors implementing stringent protocols for data sharing, handling and processing of users’ data.
Establishing a clear framework with an appropriate technological safeguard and risk matrix – especially for sensitive data and children – becomes paramount as these breaches may carry criminal implications and significant reputational issues. Considering that the DPDP Act does not prescribe any technical standards for safety protocols, a data fiduciary would retain the flexibility to embrace industry-specific standards based on the sensitivity of the data it handles.
Embracing road ahead
In this digital era, personal data – ranging from an individual’s demographic details, location and behavioural patterns to education, health records, and financial details – are highly valued assets as they offer deep insight for companies to target potential customers with more tailored products and services.
However, with the advent of the DPDP Act and rules, personal data will be redefined as a proprietary asset of individuals, obliging data fiduciaries/processors to harness the personal data of individuals while also respecting their consent and choices.
Unlike the EU’s General Data Protection Regulation (GDPR), which came into force in 2018, the DPDP Act prescribes no formal timelines for its implementation. The law will not come into effect until the government provides notice of an effective date, which is still forthcoming.
Accordingly, until the government formally notifies the DPDP Act and its rules, technology companies servicing the Indian market must use this time to implement mechanisms to ensure proactive compliance.
Organisations offering products and services to end users using digital personal data should review their existing internal protocols to establish an operational framework for data processing, defining the criteria for usage of such data that meets the test of the DPDP Act, and the overall retention period for various categories of personal data.
Technology companies must also plan for integrating industry-certified technological measures to monitor unauthorised data leaks, ensure periodic data integrity checks, and prompt and responsive grievance redressal mechanisms.
Founded in 2022, Kaizen Law is an independent law firm based in Gurugram, offering comprehensive legal advisory services on technology law and transactional matters. Our expertise encompasses private equity, early-stage and late-stage venture capital, M&A and exit financing transactions. We pride ourselves on providing legal advice on complex to routine matters with utmost efficiency and timeliness. Our clientele spans large Indian conglomerates, blue-chip Indian and global companies, multinational corporations, regulated institutions, investment funds, and entities functioning in the new age and technology services sector. In the past year alone, we have played a pivotal role as legal advisors in more than 20 transactions, collectively valued at approximately USD 2 billion.
Rooted in the Japanese philosophy of kai 改 and zen 善, signifying “change for the better” or “continuous improvement,” Kaizen Law distinguishes itself from its competitors through personalized service and an unwavering commitment to understanding our clients’ deal drivers.
The privacy and data protection team at Kaizen Law specializes in navigating the intricate compliance landscape on data policies and practices. We provide counsel on issues related to the Information Technology Act, 2000, and the regulations framed thereunder, protection of confidential and proprietary information, advisory on Indian privacy laws, data breaches, data transfers, use of cookies and online tracking, privacy policies, and the terms of use. With over seven team members boasting a collective experience of 30 years and having rich experience working in leading Indian firms, we are committed to delivering pragmatic, business-focused solutions that clients can trust.
Gurgaon
4th Floor, Spring House Plot No. 2
Golf Course Road, Sector 43
Gurgaon, Haryana – 122 011
India
Tel: +91 99 9919 1620
Email: harsh.kumar@kaizenlaw.in; contact@kaizenlaw.in
www.kaizenlaw.in
