How the DPDP Act, 2023 Birthed a New Business Approach.

The Digital Personal Data Protection Act, 2023 (DPDP Act), created a nuanced and heavily principle-based Act. This legislation proposes to raise data principals' power over their personal data, restrict data processing activities, and enhance better accountability among organizations processing personal data. 

Before the DPDP Act, India's data protection regime was largely regulated by the Information Technology Act, 2000 (IT Act) and the 2011 SPDI (Sensitive Personal Data or Information) regulations. The IT Act, as one of the oldest and most important legislations, specially framed for the digital space in India, established a legal framework for electronic governance but lacked strong provisions for data protection. Sections 43A and 72A  of the IT Act addressed data protection, mandating the practice of reasonable security practices and procedures or punishment procedures for the violation of confidentiality. 

For all intents and purposes, the IT Act failed to make itself stand out as legislation exclusively curated for data protection, leaving a rather open sector, prone to large scale violations. Infact, India faced over 400 million cyber threats across 8.5 million endpoints in 2023, averaging 761 detections per minute according to the Data Security Council of India (DSCI). The nation saw numerous significant data breach events such as the Aadhaar Data Breach (2018), NPCI Data

Leak (2016) and Zomato Data Breach (2017).

The General Data Protection Regulation (GDPR) of the European Union can be considered a basal act, as the DPDP Act has borrowed ideas from GDPR, implementing provisions identical to GDPR like data subject rights, consent, data breach notification, and designation of Data Protection Officers. 

Through the constitutional looking glass, the landmark judgment in Justice KS Puttaswamy Case- The Supreme Court identified privacy as a constitutional right under Article 21 of the Indian Constitution. This recognition as a constitutional right generated an imperative for a pervasive data protection law that would give effect to this constitutional right.

Large Indian IT companies already adhere to GDPR norms such as data protection policies, designation of Data Protection Officers, and Data Processing Agreements while having dealings with EU customers. For large market players such as TCS, European customers account for 30-35% of its total revenues, and hence international compliances are necessary to keep the businesses going.

The DPDP Act - A Turning Point

The DPDP Act provides for some new and enhanced features that make it different from earlier legislation. The language of the Act indicates its holistic approach, with it defining novel phrases like data fiduciary, data processor, data principal, digital personal data, and consent manager.

The Act provision makes it mandatory that data created in India should adhere to Indian laws, thus ensuring data sovereignty. It mandates some personal data created in India by foreign firms to be stored locally to improve data security and sovereignty by retaining important data domestically. This extensive applicability has the effect of including both domestic and foreign actors carrying on business in India in the provisions of the Act. The Act also provides data principals expansive rights such as consent rights (right to withdraw consent, access data, and be informed as to who has disclosed it), correction rights (right to correct, complete, update, or delete data), nomination rights (right to nominate representatives to handle data), and grievance redressal systems.

How Did the DPDP Act Change the Business Mindset?

DPDP Act brought in revolutionary shifts that continue to deviate the preconceived business standards in which businesses gather, process, and manage personal information across different business aspects.

Organizations have to establish advanced consent management systems that enable users to manage preferences easily and retract consent without compromising core service functionality. Such a change makes user consent a dynamic and retractable process instead of a single one-off authorization.

Getting cybersecurity in place to meet the DPDP Act can prove to be especially expensive for Indian SMEs and small startups. The expenses are not limited to technology improvements but involve bringing systems up to date, educating personnel, recruiting skilled staff, obtaining possibly higher insurance premiums resulting from higher liability and risk of breach of data, and putting continuous monitoring solutions in place for identifying and responding to security incidents in real-time.

The Act requires companies to institute effective security practices in order to safeguard personal information, compelling organizations to embrace highly effective security practices and build strong security frameworks. Security technologies at par with industries like encryption, DLP, Identity and Access Management (IAM), Cloud Security, SIEM, Data Masking, Tokenization, Endpoint Protection, and File Integrity Monitoring need to be periodically renewed and upgraded. Based on DSCI reports, the approximate end-user spending on risk management and security in India for 2023 was expected to be around $2.65 billion, with estimates for 2024 indicating a 4% growth

Firms are required to show transparency in their data processing and collection activities, being definite about giving notices of privacy and securing clear and explicit consent from the principals of data. Data fiduciaries become accountable for adherence and must engage data processors via legitimate contracts while remaining accountable for data consistency, accuracy, and completeness while processing.

Failure to comply with the DPDP Act attracts severe financial sanctions, with up to ₹250 crores being imposed for security safeguard breaches, up to ₹200 crores for non-reporting of data breaches, and up to ₹150 crores for violation of material data fiduciary duties. These sanctions impose significant financial risks that render compliance not only a compliance requirement but a business imperative as well.

An Implementational Spiral

In spite of its detailed framework, the DPDP Act has implementation issues that require careful navigation by businesses, especially in view of the intricate regulatory framework and principles-based nature of the legislation.

Indian startups and SMEs, being highly data-intensive and even lucrative targets for cyber-attacks, are severely challenged in the area of compliance due to limited resources. Only 4% of Indian companies have a "mature" level of preparedness required to deal with cybersecurity, while the others just view it as an afterthought because of the lack of financial support, says Cisco's 2024 Cybersecurity Readiness Index. Such small organizations are not financially capable of providing strong cybersecurity, and therefore complying with the DPDP Act is especially difficult.

The DPDP Act's principles-based approach, while giving flexibility, also generates policy uncertainty. The provisions of the legislation leave room for interpretation, especially when interpreted in combination with sectoral laws. The lack of specific operational guidelines, coupled with possibilities of arbitrary government notifications and policy changes, generates a confusing regulatory regime that firms need to monitor and adjust to on a regular basis.

The proposed DPDP rules mandate data fiduciaries to notify affected data principals and the Data Protection Board of a personal data breach "without delay," with a report of specific details within 72 hours. Nevertheless, the phrase "without delay" is not defined, and that could create apparent contradictions with current regulations prescribed by CERT-In. Lack of threshold reporting criteria for breaches implies that organizations need to report each case of personal data breach, irrespective of seriousness, which could lead to over-reporting and inundate regulatory bodies.

The Act imposes new checks on the transfer of personal data out of India, and the central government may prohibit transfers to some countries or territories. This leaves companies with international operations uncertain, as they need to keep abreast of government announcements and tweak their data transfer arrangements accordingly.

DPDP Act requires amendments to some of the current legislations, such as the Telecom Regulatory Authority of India Act, 1997, the Information Technology Act, 2000, and the Right to Information Act, 2005. This legislative coordination requirement complicates the implementation process and can create temporary regulatory gaps or overlaps.

A Digital Sector, A Digital Conundrum

The e-commerce industry, which is dependent on personal data for purposes of operation between customer acquisition and order delivery, is especially implicated under the DPDP Act.

Perhaps the most important question for e-commerce companies is identifying those that are data fiduciaries. Platform providers, who gather personal information for analytics, targeting, and marketing purposes, are clearly data fiduciaries. But the position of individual sellers and retailers on platforms is more nuanced. Retailers that are large and choose what data they will obtain for order fulfillment can also be considered data fiduciaries, if only they are not mere fulfillment agents without visibility into customer data.

E-commerce companies often share client information with a range of third parties, such as underwriting firms, KYC/AML providers, payment processing firms, marketing agencies, and insurance companies. Under the DPDP Act, companies have to ensure that all vendors erase data whenever consent is revoked, involving careful coordination and verification throughout the entire data processing chain. This duty applies to locating all examples of shared data with all vendors and monitoring the erasure process to ensure compliance.

E-commerce companies need to update their consent processes in a way that there is smooth management of consent, apply granular consent on various languages, and create DPDP-friendly interfaces for managing preferences and revoking consent. The transformation also includes making sure that fundamental app or platform operations remain unaltered when users revoke consent for particular data processing actions.

The Digital Personal Data provides a fairly holistic framework that can be said to strike a balance between the rights of individual privacy and the needs of business innovation. This helps promote the digital India utopia while it plugs the long-standing gap in the data protection space given the perpetually rising instances of data breaches and the lack of tangible accountability frameworks.

As India transitions to full enactment of the DPDP Act, the success of the transition will be contingent upon sustained cooperation among policymakers, enterprises, and civil society. The governmental drive for backing enterprises through the transition, possibly through new funding initiatives for cybersecurity infrastructure development for SMEs and start-ups, will be critical in ensuring broad compliance and the Act's operational effectiveness.

Essentially, we can state that the success of the DPDP Act will lie in its capacity to establish a trust-based digital environment where citizens have faith in giving away their data, but businesses are free to innovate and expand. The Act is not just a piece of legislation but an instrument for creating a safer, more transparent, and more trustable digital future.

Author:  Diya Vinekar, in case of any queries please contact/write back to us via email to chhavi@khuranaandkhurana.com or at  Khurana & Khurana, Advocates and IP Attorney.