Introduction
The latest edition of the “Digital Personal Data Protection Act, 2023” (“DPDPA”) builds itself from its antecedent, released in November 2022 (“2022 Bill”), implementing some tactical modifications while retaining all core concepts. With smaller key modifications made across the Data Protection Board, the more significant changes include the formation and constitution of the Data Protection Board[1] (“Board”) (which was earlier to be constituted ‘as may be prescribed’ by the Government), the power of the Central Government to make rules, and the circumstances under which entities can be exempted from the applicability of its provisions. Through this recent rendition, the law has set out robust notice and consent obligations, delineated permissible grounds for processing personal data without authorization, establishment of a Tribunal, and levied additional responsibilities on Data Fiduciaries[2] when managing data pertaining to minors, among additional rules and regulations.
In addition to other alters, the DPDP Act includes broad definitions pertaining to the “Obligations of Notice and Consent”, defines the acceptable “Legitimate Uses” for processing personal data without explicit consent, creates an “Appellate Tribunal” for addressing complaints, and imposes more restrictive obligations on data fiduciaries when handling the personal data of minors.
The DPDP specifically emphasizes on safeguarding personal data primarily of a ‘digital‘ nature. A notable concern is on numerous requirements of the DPDPA that remain subject to determination by the Central Government. This scenario gives rise to concerns regarding the possibility of untainted and capricious rule-making.
Government and its affinity with the pre-existing privacy framework
Initially, it appears that the DPDP Act establishes a reciprocal relationship with the Government of India’s wider regulations pertaining to information technology. The dimension concerning the solicitation of information is influenced by the interface between the IT Act[3] and the Information Technology (“Intermediary Guidelines and Digital Media Ethics Code”) Rules, 2021. This linkage grants the Central Government the authority to seek information from the Board, as well as from fiduciaries and intermediaries.[4] Fortunately, the lack of precise particulars suggests an examination of the extent, objective, and protective measures linked to this request for information, requiring adherence to the legal principles as expounded in the Puttaswamy judgment.
The Act imposes extra duties on ‘significant data fiduciaries’[5] beyond those indispensable of data fiduciaries. The central government will issue a separate notification of SDFs based on requirements like the amount and severity of the personal data processed, the threat to the rights of the Data Principal, the impact on India’s sovereignty and integrity, the threat to electoral democracy, security of the State, and public order. A single factor (such as the risk to the rights of a data principal) or a combination of factors (such as the volume and sensitivity of personal data processed) could lead to the classification of payment applications processing a high volume of payments or telecom service providers as SDFs.
Moreover, there appears to be substantial evidence indicating a correlation between the DPDP Act and the Information Technology (“Procedure and Safeguards for Blocking for Access of Information by Public”) Rules, 2009, thereby aligning data protection considerations with the governance of computer resource accessibility. The said arrangement involves the centre exercising its authority, in accordance with established procedures and principles of right to be heard[6], to direct agencies or intermediaries to restrict access to information, with the aim of protecting public interests.[7] The convergence of these mechanisms provides a strong approach to address the risks associated with non-compliance, while also ensuring a comprehensive plan for implementation.
DPDP and Fintech: A Reverie?
Over the past few decades, India’s financial services sector has undergone a remarkable change, turning into a dynamic and quickly expanding business that is essential to the development of the country’s economy. This industry provides a broad range of services, such as capital markets, banking, insurance, and non-banking financial institutions, all of which have a major impact on the stability and growth of the nation’s economy.
Financial services in India are regulated by four main regulators- the Reserve Bank of India (“RBI”) supervises commercial banks, urban cooperative banks, financial institutions, and non-banking finance companies. The Securities and Exchange Board of India (“SEBI”) controls capital markets, mutual funds, and other intermediaries. The Insurance Regulatory and Development Authority of India (“IRDAI”) regulates the insurance industry. The Pension Funds Regulatory and Development Authority (“PFRDA”) regulates the pension industry in India.
The DPDP Act aims to create a balance between promoting innovation in the Fintech sector and safeguarding persons’ personal data. While acknowledged the DPDP Act proposes a plan that is at variance with the current Fintech industry framework—that is, the Guidelines on Digital Lending (or “GDL”) issued by the Reserve Bank of India (or “RBI”) in 2022.
The regulated entity bears the responsibility of safeguarding a customer’s DPD under the GDL. In addition, once a customer’s DPD is acquired, this organization must make sure that the tech operates in a way that protects and conforms with privacy laws. Since the DPDP Act was introduced, the main obstacle that the Fintech industry has been facing is the inability to identify whether a regulated entity or Fintech operate is a data processor, data fiduciary, or both.
The definitions of data processors and data fiduciaries under the DPDP Act provides wider ambit which assures that both regulated entity and fintech operates falls within its ambit as the objective of both regulated entity and fintech operate is the determination of the collection and method of processing the DPD. Therefore, before collecting a customer’s DPD, fintech companies will now need to clearly state the nature of the relationship between the regulated entity and the fintech operates and their related obligations. However, when the liability is to be determined then it seems that DPDP contradicts with the GDL as DPDP holds both fintech operates and regulated entities accountable for any violations in the DPD’s governance, while the GDL solely held regulated entities accountable.
The another distinction is the procedure for collecting DPD under the GDL and the DPDP Act. The DPDP Act is quiet on the subject of data localization or storage requirements, however regulated entities are required by the GDL that data acquired is stored on servers situated in India. The DPDP Act additionally extends the geographical reach of the GDL by governing the collection of DPD in India or in an offshore jurisdiction. The extraterritoriality of the legislation’s application appears to be the rationale for the DPDP Act’s silence, but this leaves Fintech companies in an uncertain legal situation.
Critique on DPDP
However, the DPDPA is not without its critique. Some might argue that it is too restrictive and that it will stifle innovation. Others might argue that the DPDPA does not go far enough to protect the privacy of individuals – given the power and discretion granted to the Central Government with regard to the processing of personal data. It is now to be seen how the Central Government introduces rules through delegated legislation, in order to regulate those aspects of the DPDPA that are yet to be prescribed. Given the significant usage of the phrase ‘as may be prescribed’ throughout the DPDPA, the Central Government should ideally establish a uniform process surrounding the release of these multiple rules, including holding regular stakeholder consultations with stakeholders from across the industry. MeitY has, prior to this, seen great success in holding such stakeholder consultations, as was also evident in the introduction of the amendments to the Information Technology (“Intermediary Guidelines and Digital Media Ethics Code”) Rules, 2021 for online gaming in April 2023. The rules would take all industry practicalities into consideration, ensuring a robust data protection regime that caters to the benefit of the entire technology industry in India.
Lastly, it’s crucial to provide a transition period that allows businesses sufficient time to put necessary processes in order and adhere to the requirements of the DPDPA. With the onset of newer and stricter obligations, the data fiduciaries may have significant work to be done. Implementing the DPDP without a transition window could be catastrophic, resulting in large scale non-compliance. Provision of a sufficient transition period will ensure that businesses can make the necessary adjustments smoothly, in line with the requirements outlined in the DPDPA.
The Way Forward
The DPDP Act is a significant step towards ensuring and safeguarding the personal data in India. This step was long overdue, given the internet consumers in India, the data generated by them, as well as the country’s role in cross-border trades and investments. While the current laws protect the rights of data principals, require reporting of incidents, impose obligations on the data processes, etc., the regulatory frameworks on those are neither complete nor concrete. The DPDPA will overhaul the framework and repeal and replace the current laws. It is also a significant step forward in protecting the privacy of individuals in India. It creates a more transparent and accountable framework for the processing of personal data, empowering people with more autonomy over their personal data. The DPDPA will also help to protect individuals from the misuse of the personal data, and ensure greater capability to enforce their individual rights in relation to their personal data.
[1] Section 8 (5), Digital Personal Data Protection Act, 2023.
[2] Section 10 (2), Digital Personal Data Protection Act, 2023.
[3] Section 2(1)(w), Information Technology Act, 2000.
[4] Section 36, Digital Personal Data Protection Act, 2023.
[5] Section 10 (1), Digital Personal Data Protection Act, 2023.
[6] Section 37, Digital Personal Data Protection Act, 2023.
[7] Section 37(2), Digital Personal Data Protection Act, 2023.