Data Protection Act: What 'behavioural change' the law wants to bring

As per the Act, the govt may come out with rules directing the platforms about expected line of action to comply with all the provisions

Pesky calls, spam emails and text messages targeted at phone numbers leaked from a database of a digital service provider were hardly a big deal till Saturday, August 12. India now has a dedicated data privacy law, which can impose penalties of up to Rs 250 crore on such digital platforms neglecting data security.

The Digital Personal Data Protection Bill, 2023 received the President’s assent on Friday. The Act has been notified in the official gazette after six years of efforts, rounds of consultations, and several iterations. The law sets out principles for the collection, processing, and sharing of personal data of Indian citizens.

What does this mean?

At the most basic level, every digital platform will need to take unconditional, free, specific, and informed consent from users for collecting their data. Unlike the current practice – in which most of the apps dump thousands of lines of terms and conditions followed by a checkbox denoting “I agree” – the law requires the details of consent to be presented in simple, clear and plain language to the users. 

The data must be used only for the purpose defined at the time of obtaining consent. The notice has to be made available in all 22 official languages. Users will also be able to withdraw this consent at any point post which the platforms must stop processing their data and erase it. Data processing in certain cases like medical emergencies, disasters, court orders and by government agencies for various purposes may not need user consent.

The law requires every platform to disclose the personal data already held by them. For instance, if a user of an ecommerce platform finds out the app has collected data disproportionate to the services offered by it, she may have a right to erase the data from the servers of that platform.

Apps and websites collecting personal data of users below 18 years and people with disabilities must take verifiable consent from parents or legal guardians. As per the Act, the government may come out with rules directing the platforms about the expected line of action to comply with all these provisions.

“Even as the finer details of the Bill will be clearer in days to come, it's highly recommended that enterprises start their journey towards privacy maturity now. This Bill touches the lives of more Indian citizens and businesses than any other law in recent times,” said Sivarama Krishnan, Partner & Leader, of Risk Consulting, PwC India and Leader of APAC Cyber Security & Privacy at PwC.

The government will establish a Data Protection Board, an independent body that will examine personal data breaches and impose penalties. If the board finds a platform fails to take “reasonable security safeguards” to prevent a data breach, it can impose a penalty of up to Rs 250 crore. Failing to comply with additional obligations related to children's data may lead to a penalty of Rs 200 crore. After two instances of penalties, the government may block the operations of the platform.

The provisions of the Act do not apply to the personal data that is publicly shared by the user to whom the data belongs. The Act is also not applicable to offline personal information and anonymised datasets.  

The government has started consulting with the industry stakeholders on the implementation of the law. Rajeev Chandrasekhar, Minister of State for Electronics and Information Technology told Business Standard that startups, Micro, Small, and Medium Enterprises (MSMEs), and some government entities may get a longer transition period to comply with the law.

 “There are implementation complexities that could prove to be a challenge for organizations while complying with the requirements of the bill which includes, ensuring verifiability of parental consent for processing personal data of children, building a mechanism for obtaining and recording consent of Data Principals through a consent manager, complying with the Data Principal’s rights to erasure, undertaking accountability for the Data Processors under processing on behalf of Data Fiduciaries,” said Murali Rao, Cybersecurity Consulting Leader, EY India.

Social media firms and other big tech platforms may need to introduce major changes to the functionalities of their apps to implement provisions like parental consent and disclosure of data held by them.

“Further, if content blocking is to be enabled by the Central Government on the recommendation of the board, then there has to be a strong framework detailing the criteria for blocking. The DPDP Bill is a significant step forward for data protection in India. This bill is a step towards showcasing India's dedication to fostering a secure and trustworthy environment for both its citizens and businesses,” Rao said.