Beyond the hype: Shortcomings of new data law

The Digital Personal Data Protection Act, 2023 (DPDPA), is expected to be implemented in the coming months. Businesses have begun to bring their data protection governance programmes into line with the legislation. However, a close reading of the law reveals ambiguities that, if not addressed, will prevent effective compliance.

For instance, concerns have been raised about the DPDPA’s over-reliance on consent. The DPDPA enables processing on the grounds of consent and legitimate uses, which include the voluntary provision of data, employment- related purposes, and processing for state-related functions. Many businesses’ processing functions cannot be justified on either of those grounds. For example, credit information companies are legally obliged to process certain types of personal data. The DPDPA, however, requires these organisations to seek consent or ensure that the companies they partner with or provide services to have sought consent. Both options are impractical. The absence of grounds for processing data that comply with legal obligations jeopardises the provision of services that serve crucial purposes.

In addition, the DPDPA does not apply to the processing of publicly available personal data. This exemption would cover data made available by data principals directly, or data that is made available by any person who is under a statutory obligation to make such data publicly available. Unfortunately, the law does not define “publicly available” data. The processing of personal views made available on a blog is exempt from the law. However, it is not clear whether the processing of the same views made available on a closed social media group, or on a platform that is semi-public is exempt as well. Lack of clarity aside, this exemption encourages large-scale data scraping but does not impose corresponding obligations on businesses to implement security measures protecting scraped personal data, reporting breaches that impact such data or otherwise imposing accountability. Guidance from the government on the scope of publicly available data would be welcome.

The DPDPA does not apply to the processing of personal data of individuals based outside India by India-based data processors for a non-India based data fiduciary or data processor. While security-related obligations will apply to foreign personal data, such individuals have no rights under the DPDPA. Further, state access to such data continues. This may dissuade companies subject to the GDPR’s cross-border data transfer restrictions from outsourcing services to Indian companies because of the lack of adequate protection of such data.

Regarding retention, data fiduciaries must erase data as soon as a data principal withdraws their consent or the specified purpose of processing such data is satisfied, whichever is earlier. A lack of precision in the law’s text may permit an interpretation that data fiduciaries are exempted from the obligation to erase data if retention is necessary for any purpose determined by the data fiduciary. This may be so even if an individual withdraws their consent for such processing.

Data fiduciaries are required to take technical and organisational measures to ensure compliance with the DPDPA and implement security safeguards to prevent personal data breaches. Businesses must notify the Data Protection Board of India and affected data subjects of personal data breaches. Presently, this would mean dual reporting obligations as existing cybersecurity laws also require the reporting of certain types of cybersecurity incidents, including personal data breaches. Entities that fall within the jurisdiction of sectoral regulators are subject to further reporting obligations. Maintenance of multiple distinct reporting mechanisms can increase the reporting burden on organisations as they navigate different reporting requirements, timelines and stakeholders. This may divert valuable resources from incident response and mitigation. A holistic approach to incident response, taking into account the broader cybersecurity situation, may be more effective in mitigating risks and preventing future incidents.

However, the DPDPA has helped to set up a framework for data protection and it is hoped that the government will prescribe rules clarifying ambiguities, taking into account both business needs and individual expectations.

Mathew Chacko is a partner, Aadya Misra is a counsel and Ada Shaharbanu is an associate at Spice Route Legal.