The Digital Personal Data Protection Act, 2023 (‘Act’) has been notified[1] in the Gazette but is yet to come into effect. It introduces a comprehensive framework governing processing of personal data including notice[2] and consent requirements[3], compliance with principles-based obligations[4] in respect of processing personal data of individuals (referred to as ‘Data Principals’). Additional requirements are also provided for the processing personal data of children and persons with disabilities[5] and extending certain rights to individuals[6].
Entities determining means and purpose of processing (‘Data Fiduciaries’), complying with the existing law may have to realign their approach in collecting and processing personal data. In effect, their business practices and operations will have to transition from expanding data collection to minimizing it to ‘fit-for-purpose’ to reduce exposure. Given its sector-agnostic approach, this law is likely to have a significant impact on entities across various sectors, including financial institutions.
Meeting consent and notice requirements
At the outset, any entity handling personal data must aim to realign customer-facing platforms and mechanisms to realign privacy focus (such as by adopting privacy-by-design and default practices) and adhere to privacy principles postulated by the Act. This includes the key requirements of publishing privacy notices and building a concrete consent architecture. Publishing brief, concise and unambiguous notices for data collection and processing may be relevant to demonstrate ‘specific’ and ‘informed’ consent[7] of Data Principals. Apart from brevity, such platforms must also make them available in the Eighth Schedule languages[8], in addition to English.
In the context of obtaining customer consent, the Act now provides that consent must be specifically obtained through a clear and affirmative action. This may warrant evaluation of consents obtained through click-wrap and other methods to determine whether:
- such mechanisms are sufficient to accurately authenticate identity of Data Principals and take any additional measures (such as implementing two-factor authentication) if required;
- they avoid any practices which may lead to ambiguity in consent or lack a clear affirmative action on behalf of Data Principals; and
- ensuring storage of proof of consent in a retrievable and auditable manner, especially in view of the onus to demonstrate the same when required[9].
In this regard, relevant mechanisms may also have to be implemented to factor in receiving consents (and exercise of other rights or requests) by Data Principals using Consent Managers[10]. Entities may have to develop standardized mechanisms to authenticate identity, manage and comply with such requests from Consent Managers. This may particularly be relevant in the context of entities in the financial sector (and consumer-facing platforms), where consent managers are likely to play an extensive role.
Interplay with sectoral regulations
The notification of the Act may also necessitate evaluating the interplay between the Act (including the DPA) and sectoral regulations, especially in sectors with higher regulatory activity, such as financial and fin-tech sectors. Sectoral regulators in financial services have been proactive in providing regulations for protection of specified data and measures such as localization (of payment system data[11], policyholder data[12] etc.), prescribing framework for information technology (for banks[13], NBFCs[14] and other regulated entities), information security[15] and incident reporting obligations, well ahead of the enactment of the Act.
This was also iterated in many reports (such as the Srikrishna[16] and Joint Parliamentary Committee[17] Reports) which have highlighted the need to harmonize sectoral laws and regulations with the data protection law. While the Act provides (with regard to cross-border transfers) that laws or regulations that provide a ‘higher degree of protection or restriction’ would continue to apply[18], a significant role would still have to be played by the Central Government or the DPA in harmonizing sectoral laws and regulations (including obligations other than cross-border transfers) with such requirements.
Relying on legitimate purposes for processing
The Act also does not expressly include certain grounds for processing covered in the predecessor drafts. The absence of ‘public interest’[19] and fair and reasonable[20] purposes outlined under deemed consent proposed in the Digital Personal Data Protection Bill, 2022 (‘2022 Bill’) is notably one among them. The 2022 Bill had proposed that processing pursuant to certain functions, such as detection and prevention of fraud, credit scoring, network and information security, would not require consent prior to processing personal data.
On the other hand, the Act permits processing for a purpose specified by the Fiduciary for which the Data Principal has voluntarily given personal data and consent has not been denied. Entities in the financial sector may take benefit by relying on the same in responding to enquiries, processing applications and other purposes not contemplated under applicable laws and regulations and limit processing based on consent, to the extent permissible.
While processing is permitted without consent in the case of certain legitimate uses, such purposes have not expressly been covered in the Act. In the absence of such legitimate purposes or any exemptions provided by the Government, entities may have to rely on consent in order to process such data.
Organizational measures
Fiduciaries in the financial sector may review internal protocols and mechanisms concerning disclosure and/or sharing of personal data with Fiduciaries as well as with entities which process on their behalf (or ‘Processors’). While such processing must only be undertaken pursuant to a valid contract, such agreements must also provide for:
- implement appropriate technical and organizational safeguards and security measures;
- comply with requests or exercise of rights of Data Principals (or Consent Managers);
- restrict sharing of such personal data further, unless authorized;
- prohibit any processing which may cause harm to Data Principal;
- report breaches of personal data promptly;
- erase or delete any personal data at the request of Data Principals or Fiduciaries;
- conduct periodic assessments of purpose fulfillment and make erasures, where appropriate;
- engage processors or sub-processors only with approval of Fiduciaries;
- designate point-of-contact details for redressing grievances; and
- provide effective post-termination obligations for deletion of personal data.
Such entities must also consider deploying appropriate organizational measures to protect personal data, such as by implementing access control, asset management, incident response, information and network security, employee training, outsourcing and business continuity, apart from technical measures (such as pseudonymization and encryption).
Categorization as Significant Data Fiduciaries
Depending upon nature and volume of personal data processed and other factors (such as impact on public order and sovereignty), it is very likely that such entities would be classified as Significant Data Fiduciaries[21]. This would invite significant obligations on such entities such as conducting data protection impact assessments with regard to processing activities, periodic data audits and any other requirements prescribed by the Government.
While periodic training and development of employees is likely to be a prerogative for all entities, those categorized as Significant Data Fiduciaries may also have appoint dedicated personnel for data protection compliance, such as resident data protection officers, independent data auditors and invest in capacity building to ensure, evaluate and maintain compliance.
Availing necessary exemptions
The Act also enables entities to avail certain exemptions[22] from compliance, especially where processing is undertaken for legal compliance, enforcing legal rights, mergers and acquisitions, debt recovery and for outsourcing entities in India which process personal data of foreign nationals. Startups in the sector can also avail necessary exemptions from complying with notice, accuracy, retention limitation and information access request requirements.
In view of the above, entities in the financial and Fin-Tech sectors may well consider undertaking appropriate readiness assessments for assessing and ensuring that their frameworks for processing personal data including notice and consent architecture, technical, organizational and security measures remain ‘future-ready’ and responsive to implementation timelines and rule-making guidance anticipated soon.
[The authors are Executive Partner and Senior Associate in Data Protection and TMT practice of Lakshmikumaran & Sridharan Attorneys at New Delhi and Hyderabad, respectively]
[1] The Digital Personal Data Protection Act, 2023, available here
[2] Section 5, Digital Personal Data Protection Act, 2023.
[3] Section 6, Digital Personal Data Protection Act, 2023.
[4] Section 8, Digital Personal Data Protection Act, 2023.
[5] Section 9, Digital Personal Data Protection Act, 2023.
[6] Chapter III, Digital Personal Data Protection Act, 2023.
[7] Supra Fn. 7
[8] Section 5(3), Digital Personal Data Protection Act, 2023.
[9] Section 6(10), Digital Personal Data Protection Act, 2023.
[10] Section 6(7), Digital Personal Data Protection Act, 2023.
[11] Storage of Payment System Data Circular dated April 6, 2018.
[12] IRDAI (Maintenance of Insurance Records) Regulations, 2015.
[13] Cyber Security Framework in Banks dated June 2, 2016.
[14] Master Direction - Information Technology Framework for the NBFC Sector dated June 8, 2017.
[15] Guidelines on Information security, Electronic Banking, Technology risk management and cyber frauds, available here
[16] A Free and Fair Digital Economy, Committee of Experts under the chairmanship of Justice B. N. Srikrishna, available here
[17] Report of the Joint Committee on the Personal Data Protection Bill, 2019, available here
[18] Section 16, Digital Personal Data Protection Act, 2023.
[19] Clause 8(8), Digital Personal Data Protection Bill, 2022.
[20] Clause 8(9), Digital Personal Data Protection Bill, 2022.
[21] Section 10, Digital Personal Data Protection Act, 2023.
[22] Section 17, Digital Personal Data Protection Act, 2023.