Data about to become even more personal

The Digital Personal Data Protection Act, 2023 (DPDPA), the new data law in India, will require businesses to evolve, and in all likelihood, restructure their data protection frameworks and user experience. While the law is a noteworthy step towards better data governance, it poses many challenges for companies.

Over-reliance on consent as grounds for processing personal data is one of the main difficulties with the DPDPA. Businesses will require consent that is free, informed, specific, unconditional, and unambiguous. Consent must be provided through an affirmative action and is subject to purpose limitation. Under present law, consent is the only grounds for the collection of sensitive personal data. But thresholds for consent are low: onerous opt-out provisions for terms and conditions, denial of service in response to a refusal to consent and implied consent are all market standard. Before now, these approaches have not effectively been prosecuted. Now, businesses will have to revisit how they interact with users to collect consent.

Consent requests and notices must be available in English and 22 other Indian languages. User interfaces, apps and websites will also have to be restructured. Bundled consent is unlikely to be acceptable. User interactions will therefore be longer and more complex to ensure that users provide separate consents for the same datasets being processed for different purposes. Consent requests will likely occur in a phased manner to avoid consent fatigue and larger drop-outs at the initial user onboarding stage. Internally, businesses will have to create forks within their online architecture to offer different permutations and combinations of their services to users who have exercised differing consent rights to the processing of their data.

Consent as the primary grounds for processing gives rise to additional challenges for the transfer of personal data among data fiduciaries. Every data fiduciary will have to identify grounds for processing. Private companies have no right to undertake processing activities for internal business purposes, such as data analytics, AI and ML processing, and advertising and marketing without consent. In a B2B context, companies will therefore either have to rely on consumer-facing data fiduciaries to seek consent for their use of personal data or approach individuals for consent to process personal data that the consumer-facing data fiduciaries were unable to secure. The former option may impose an operational burden on consumer-facing entities. These companies will be required to front-face consent withdrawal requests and exercises of data principal rights. They will then have to ensure a flow-down of obligations on data recipients to give effect to withdrawal and the exercise of other rights. The latter option would require businesses without a consumer-facing structure to create new ways to interface with users, disrupting existing data transfer chains.

However, businesses may in certain circumstances rely on other grounds to process personal data. Companies are, for example, permitted to process personal data in an employment context without consent. Pre-employment processing, such as resume parsing or recruitment, will still require consent. Separately, data fiduciaries are also permitted to process personal data without consent where individuals have voluntarily provided their personal data. The purposes for processing in such cases are limited to the specific purposes for which individuals have provided personal data. Other grounds for processing, such as for medical emergencies, disclosures to state agencies, and compliance with court orders, exist but do not factor in legitimate business dealings.

As the DPDPA will require fundamental changes to consent structures and data transfers, businesses should begin extensive know-your-data and data mapping re-engineering. This will allow them to gain effective oversight over the data they process, existing systems and the gaps that have to be filled. Though there is no clear timeline, implementation of the DPDPA is likely to take effect in the coming months. An immediate gap analysis and plan of action to prepare for compliance will enable businesses to be better prepared for large-scale change.

Mathew Chacko is a partner and Aadya Misra is a counsel at Spice Route Legal.