India’s first privacy legislation, the Digital Personal Data Protection (DPDP) Act 2023 was supposed to have a transformative effect on the country’s tech landscape. But two months after India enacted the privacy law, companies are still finding it a tricky maze to traverse, with more unanswered questions than solutions provided. From large FMCG behemoths to small startups, from banks to telecom and tech firms, everybody appears to have doubts over how to go about implementing the various provisions of the new law. What’s more, the government’s new comment that large companies get six months to comply with the rules, while others may get up to a year with a few exemptions, have meant chaos and confusion reign supreme. The lawyers dealing with tech, media and communication, meanwhile, have their hands full, as corporates from across the spectrum approach them for guidance on implementation of the Act.

Easing of norms Jaspal Sawhney, global chief information, security and privacy officer, Tata Communications, said that the company has initiated gap assessment and is currently working on meeting specific requirements under the Act. “Considering our size and spread of operations, we will need a reasonable transition period for complete alignment with the specific requirements under the DPDP Act,” Sawhney said. “We look forward to reviewing the regulations that are currently being framed under the Act, as that would bring further clarity on the details.” Meanwhile, law firms are suggesting clients who are compliant with other countries’ data laws, like the European Union’s General Data Protection Regulation (GDPR), do a gap analysis. And for companies starting from scratch, they’ve recommended an internal audit of data collection, storage and sharing practices. However, companies said that sending notices to all users for taking consent itself will take a long time. Lawyer Rajeev Dewal, who works with the banking sector, said banks in India are in possession of a lot of personal data. “Banks have to appoint consent managers and create consent management departments within themselves and establish personal data management policies and procedures,” he said. Moreover, since the banks will be classified as ‘significant data fiduciaries’, they’d also need to hire data protection officers and independent data auditors, Dewal added. All of this means six months may not be enough. “Banks may ask for more time, since currently, they collect a lot of information that is unnecessary, and hence, they would have to redraft their forms,” he explained. These include documents for ‘know your customer’ (KYC) norms, which are essential documents, but information gathered by banks for marketing have to be hereafter collected only after stating the purpose of collecting such data, he said. “I think banks would need at least one year for the Act’s implementation,” he added. Varying transition periods Rajeev Chandrasekhar, Minister of State for Electronics and Information Technology, had said that entities may be granted varying transition periods based on their level of digitisation, data protection compliance maturity, etc. But even a two-year transition period may not be enough. Supratim Chakraborty, partner, Khaitan & Co, recalled how many entities struggled with compliance during the GDPR experience. “India’s unique ecosystem might pose additional challenges,” he said. Government entities, including state-level bodies with lower levels of digitisation, are expected to receive more time to transition, the minister had said. Early-stage startups, micro, small and medium enterprises (MSMEs), and select organisations like certain healthcare institutions are also proposed to get extended timelines to comply with the new law. For all other organisations who are seeking extensions, a compelling case must be presented to the Ministry of Electronics and Information Technology, outlining the rationale and the exact time extension being sought.

The finer aspects Provisions of the new law necessitating substantial engineering effort, like obtaining verifiable parental consent for handling children’s personal data, may be allowed more time from a compliance perspective. Telecom businesses also need to revise their customer onboarding procedure to acquire users’ explicit consent before collecting or processing their data, experts said. “We expect further enhancements on processes and frameworks for onboarding to be in line with the DPDP Act,” said Swathi Arunaa, a senior market analyst covering telecom and IoT for Asia/Pacific region in global market intelligence firm IDC. Telecom operators partner with multiple vendors including thirdparty entities to provide services to customers. “The Act will require them to revisit their processes and policies to mitigate risks and invest in areas to safeguard customer data,” Arunaa explained. Operators don the cap of data intermediaries and “must set up a framework with commercial arrangements between data holders and data users”. There may be a penalty of `250 crore if adequate security measures are not in place to prevent a data breach. “Telecom companies will be required to spend some money to review current systems and upgrade them, and incur maintenance costs for these systems,” she added. This cost includes investments to design consent systems for customers and tools to enhance privacy. Mahesh Uppal, director of Com First, a consulting company specialising in regulatory aspects of telecommunication and internet, also said that this will increase compliance among telcos and could also require revision of their onboarding procedures. However, the impact on telcos may be incremental rather than radical, since they are already subject to many stringent norms relating to privacy in their licences, he said. Much will also depend on the exact framing of rules under the Act. This aspect will determine the scope of the obligations and the resulting cost or compliance burden. “We don’t know how the giving and withdrawing of consent will be implemented. The additional compliance burden might also be greater for OTT players than for telcos since the latter’s licences already contain many provisions relating to privacy and security,” he explained. What’s yet to be prescribed? Aman Taneja, lead of emerging technologies at Ikigai Law, also pointed out that many aspects of the law will be clarified through the rules which are yet to be prescribed, and that some companies are further along in their compliance journeys, either due to the sectors they’re in or other jurisdictions they operate in. So, the DPDPA’s implementation will be different for different companies. “Our advice to companies right now is not to be overly prescriptive, but forward looking, aimed at getting them on a path to compliance,” he said. Key to compliance with a law like this is the transformative journey it will lead companies through, rather than an end destination, the experts said. On age-gating, the government has the powers to prescribe the mechanism for obtaining verifiable parental consent, Taneja said. The hope is that this will provide broad contours of what is expected but leave the granular implementation to businesses. Obligations in place Vinay Butani, partner, Economic Laws Practice, said compliance within six months would be left to entities who would already be required to comply (and would be complying) with comprehensive data protection obligations under the GDPR, and therefore adhering to the DPDP Act would merely mean extending the scope of such obligations to cover users in India. Examples of such obligations include the requirement of obtaining consent for data processing, having a grievance redressal mechanism in place, taking reasonable security practices to protect the data, notifying any personal data breach, and giving a right to data principals to access/correct their data. However, challenges may be faced where the obligation is unique to India or wherever the obligation has a dependency on a third party and the third party does not have a mature solution. A few obligations under the DPDP Act may also require a larger timeline for implementation, such as age-gating mechanism where data of children and persons with disabilities is processed only with the consent of their parents or lawful guardians. But doing so will entail undertaking an e-KYC of every user to determine if they are above the age of 18, and if they're not, obtaining consent from their parents. But given the fact that India has the highest number of users on many social media platforms (running into hundreds of millions), the sheer magnitude of this exercise may make it infeasible, especially if it has to be completed within six months, Butani said. Six-month deadline Falaq Patel, a technology and data privacy lawyer, said with a six month timeline, all corporates that do not fall under the category of startups, hospitals and MSMEs will have to simultaneously setup multiple processes to ensure consent is obtained from existing data subjects in line with the notice and language requirements under the DPDPA; map and audit all personal data that is collected; assess it against the legal bases of processing under the DPDPA; and carry out data purging activities where such data is no longer needed. Coupled with the lack of precedence on how enforcement action will be performed by the upcoming Data Protection Board, there is justifiable cause for panic among corporates who are data fiduciaries under the DPDPA. “Companies should begin a thorough review of their agreements with third parties that may come under data fiduciary and processor relationships,” Chakraborty said. It is imperative to commence data mapping exercises, he said, adding that one could start by focusing on compliances that are relatively easier to implement, such as notice and consent requirements. A data mapping or inventory exercise on identifying and tracing the flow of personal data within an organisation, which is the first step on the path to compliance, may itself take a significant period of time, pointed out Akshayy S Nanda,a partner at Saraf & Partners law firm. Data mapping involves identifying and creating a data flow map that tracks how personal data enters, moves within and exits the organisation. It involves identifying the sources of systems, their various touchpoints, the applications they interact with and their ultimate destinations. A detailed understanding of the personal data processed by an organisation — including the sources of collection, storage and sharing with third party data processors — is critical. https://economictimes.indiatimes.com/tech/technology/the-data-dilemma-companies-find-indias-privacy-law-a-tricky-maze-to-traverse/articleshow/104426196.cms