Companies As Custodians Of Information: Data Protection Compliances

Why data protection:

In the landmark judgment of Justice K.S. Puttaswamy vs. Union of India¹, the Hon'ble Supreme Court of India explicitly recognised and laid down that right to privacy is a fundamental right under Article 21 of the Indian Constitution. Accordingly, every person including an individual, company/firm/association, a Hindu undivided family, state and every artificial juristic person ("Data Principal"), is entitled to the right of privacy which also encompasses the right to protection of personal data.

Personal data refers to any data that helps in identifying a person² and breach of the same in any form of unauthorised processing or accidental disclosure, acquisition, sharing, use, alteration, destruction or loss of access may compromise the data's confidentiality, integrity or availability, which can cause prejudice to such a person in terms of financial losses, reputational damage, legal issues, regulatory fine and breach of consumer trust. Thus, the person collecting personal data ("Data Fiduciary") is obligated to undertake appropriate measures and avoid such breach. Accordingly, the Companies have been bestowed with additional responsibility as custodians for following proper procedure while collecting data, ensuring proper use within permissible limits and safeguarding such data. This article seeks to give a brief overview of all the requisite data protection compliances that need to be undertaken by Indian companies to fulfil this responsibility.

Legal framework:

The Information Technology Act, 2000 read with the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011 ("SPDI") impose obligations on Data Fiduciaries including a company or a person located in India to implement strong data protection measures and safeguards for protecting the individual's sensitive personal data i.e. bank account details, present and past health records, passwords, sexual orientation, biometric data, credit/debit card details³. However, given the ongoing and probable data breaches/misuse, especially in the digital era, the need for a comprehensive and stricter data protection law was felt by the Indian parliament and hence the Digital Personal Data Protection Act, 2023 ("DPDPA") was enacted on August 11, 2023, which is soon to come in force. Once it comes into force, the SPDI Rules will no longer be applicable and only DPDPA will regulate the process of data sharing/collection and processing in India. Thus, it is important to analyse the compliances and consequences laid down in DPDPA.

Every Indian company, as a Data Fiduciary must comply with the DPDPA and implement appropriate technical and organisational measures to ensure effective observance of the provisions of the DPDPA and the rules made thereunder. This approach must be adopted for the purpose of ensuring data protection of the company itself, its employees and its clients through contractual arrangements and its internal policies.

No right is absolute:

The DPDPA has adopted a balanced approach by providing for processing of digital personal data in a manner that recognises both the right of individuals to protect their personal data and the need to process such personal data for lawful purposes⁴. Thus, few exceptions have been carved out in the DPDPA whereby the data of Data Principals can be processed without obtaining their explicit consent. This is where the DPDPA differs from the European Union's General Data Protection Regulation (GDPR), which has a higher standard of data protection as the same requires obtaining of explicit consent without exceptions.

DPDPA applies to processing of personal data in digital form or personal data collected physically but digitised subsequently, within the territory of India. It also applies to digital personal data outside the territory of India, if such processing is in connection with any activity related to offering of goods or services to Data Principals within the territory of India⁵. DPDPA mandates a Data Fiduciary to obtain consent of Data Principals before processing their data. However, this obligation does not apply in the following situations: (1) Personal data processed by the Data Principal for personal or domestic purpose; (2) Publicly available personal data; (3) Processing of personal data for "legitimate uses⁶" including the following situations, wherein consent is deemed to be given even if not obtained explicitly:

1. cases where the Data Principals have voluntarily provided personal data to the company and in respect of which they have not indicated that they do not consent to the use of such personal data; and
2. cases where processing is necessary for: (i) for fulfilling obligations under any law or compliance with orders issued by courts; (ii) for responding to medical emergency involving threat to the life or immediate threat to the health of the Data Principal or any other individual; (iii) for performance of functions by the State or any of its instrumentalities under any law or in the interest of sovereignty and integrity of India or security of the State; (iv) for providing medical treatment or health services during an epidemic, outbreak of disease, or other threat to public health; (v) for ensuring safety/providing assistance/services during any disaster or a breakdown of public order; and (vi) for employment related purposes for safeguarding the employer/company from loss or liability, such as prevention of corporate espionage, maintenance of confidentiality of trade secrets, intellectual property, classified information or provision of any service or benefit sought by a Data Principal who is an employee.

The DPDPA also provides for duties of the Data Principal (employees/clients) to provide authentic data and not to file frivolous complaints.

Compliance, not a choice but a must:

Every company located in India is required to comply with the DPDPA and fulfil its obligations⁷ explained below:

1. Protect personal data in its possession or under its control, by taking reasonable security safeguards to prevent personal data breach.
2. Process only necessary data for a lawful purpose for which the individual has consented or for legitimate uses.
3. Request Data Principals to give consent and along with it, issue a notice including the following particulars: (a) personal data and the purpose of processing the same; (b) manner in which the Data Principal can exercise his/her rights of giving or reviewing or withdrawing the consent given and grievance redressal as provided by the Data Fiduciary; and (c) manner in which complaint can be made to the Data Protection Board ("DPB"), an option that can be availed only after exhausting the grievance redressal mechanism. Such consent has to be free, specific, informed, unconditional and unambiguous with a clear affirmative action, and shall signify an agreement to the processing of personal data for the specified purpose.
4. Ensure completeness, accuracy and consistency of personal data if the processing can affect the data Principal or if the said data is being disclosed to another Data Fiduciary.
5. Cease and cause its data processors to cease processing the personal data if consent is withdrawn except in instances of legitimate uses.
6. Erase or cause its data processor to erase personal data upon withdrawal unless retention is necessary for compliance with any law.
7. Give option to the Data Principal to access the contents of notice, on request and correct/update any incorrect or incomplete data.
8. Where the Data Fiduciaries are processing personal data that is likely to be used to make a decision that affects the Data Principal or is to be shared with another Data Fiduciary, they are required to ensure accuracy and completeness of such personal data.
9. Intimate the DPB and each affected data Principal about Personal data breaches.
10. Not to transfer data to any other country/territory for processing if such transfer is restricted by Central Government by way of notification. The DPDPA also provides that if there is any other law which provides a higher degree of protection for transfer of personal data outside India, such law or regulation will be applicable.
11. Establish a grievance addressal mechanism and provide contact details of data protection officer and grievance officer.
12. Implement additional safeguards for processing personal data of children or persons with disability.

What's at stake?

Even though the DPDPA does not contain a private right of action, a company may be liable for non-compliance and payment of penalty (which may extend up to Rs. 250 crores)⁸ depending on the nature of breach and its gravity. It is pertinent to note that the process of litigation and appellate procedure, as provided under the DPDPA, may take longer and there is a high risk of reputation loss. To avoid heavy penalties and reputation loss or business loss, a company must implement DPDPA for protecting personal data of its employees and customers/clients. The company must also protect its own rights while entering contractual arrangements with other organisations as not incorporating specific clauses pertaining to data protection in the contract, may jeopardise the business interest or reputation of the Company.

Way forward:

The author feels that even though the DPDPA provides a comprehensive framework for data protection, it does not address the following:

1. Storage of personal data by the company/ Data Fiduciary for limited time. Additionally, unlike GDPR, there is no reference to the responsibility of a company to maintain a record of processing. Including these measures will help in maintaining transparency.
2. The DPDPA does not differentiate between sensitive personal data/information and personal data. There should be a specific reference to the same for further clarity and mitigating the risks of data breach. Also, unlike the GDPR, the DPDPA does not include the concepts of "pseudonymization" and "anonymization" of personal data.
3. Legitimate uses do not cover processing for the purpose of performance of contract unless the contract specifically bars such processing.
4. There is no specific transfer mechanism provided in the DPDPA for cross border transfer of personal data.
5. There is no specific liability/penalty prescribed for data processors. The responsibility to ensure that the data processors are processing within limits prescribed by the DPDPA, is on the Company.
6. The definition of data must be more elaborate. This is also important as the DPDPA provides for amendment⁹ of the Right to Information Act, 2005 ("RTI") according to which any information relating to personal information will not be disclosed to an RTI applicant.

The above issues need to be clarified by way of an amendment or notification.

Footnotes

1. (2017) 10 SCC 1.

2. Section 2 (t) of the Digital Personal Data Protection Act, 2023 (DPDPA).

3. Rule 3 of the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011.

4. Preamble of the DPDPA.

5. Section 3 of the DPDPA.

6. Section 7 of the DPDPA.

7. Section 8 of the DPDPA.

8. The Schedule to the DPDPA.

9. Section 44(3) of the DPDPA.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.