In our continuous quest to understand the landscape of data protection laws and regulations, we reached out to legal professionals around the world. Our member Gaurav Bhalla from Ahlawat & Associates shared insights into navigating the uncertainties businesses face in adapting with the provisions of recent data protection framework.
The Government has recently enacted (and notified) the Digital Personal Data Protection Act, 2023 (“Act”). While the statute has been notified, its provisions are yet to come into force. This is since the rules (“Rules”) (i.e. the subordinate legislation under the Act) needs to be enacted, which will provide clarity on the appropriate means of compliance as well as various other aspects (on which the Act is currently silent). Until the Rules are notified, the businesses are in a limbo regarding the appropriate means of ensuring compliance with the provisions of the statute. We anticipate that some of the primary challenges which will be faced by the businesses in complying with the provisions of the Act will be as follows:
Requirement Of Issuance Of Notice For Seeking Consent
Section 5 of the Act provides that – “Every request made to a Data Principal under section 6 for consent shall be accompanied or preceded by a notice given by the Data Fiduciary to the Data Principal, informing her,— (i) the personal data and the purpose for which the same is proposed to be processed; (ii) the manner in which she may exercise her rights under sub-section (4) of section 6 and section 13; and (iii) the manner in which the Data Principal may make a complaint to the Board, in such manner and as may be prescribed.”
While under the erstwhile statute, the requirement of consent would have been completed by simply making the user agreeing to the privacy policy (by ticking the relevant field for it), the new Act provides that a notice has to be displayed to the users listing out various aspects listed in the aforementioned provision. However, the manner of displaying such notice has not been prescribed yet (leading to businesses being in a limbo as regards putting in place the relevant technical infrastructure in place for ensuring this compliance). Further, the requirement of display of a notice adds a step to the user registration/access journey on the online platforms (which would make it less user friendly and reduce the number of active users). It is expected that the Rules would address these concerns which would make it easier for businesses to understand on how to comply with this provision.
Requirement Of Seeking Consent In Respect Of Personal Data Of Children
Section 9 of the Act provides that – “The Data Fiduciary shall, before processing any personal data of a child or a person with disability who has a lawful guardian obtain verifiable consent of the parent of such child or the lawful guardian, as the case may be, in such manner as may be prescribed.”
This provision imposes an obligation on data fiduciaries to obtain ‘verifiable’ consent from the parent/lawful guardian of a child (where the personal data of such child is being processed). Since the statute doesn’t elaborate on what would amount to ‘verifiable consent’, it isn’t clear for businesses on the appropriate manner of seeking such consent. It is expected that the Rules will provide better clarity on the means to obtain ‘verifiable consent’ from the data principals.
Further, social media intermediaries are extremely concerned with observing compliance with this provision since they collect and process personal data of children at a large scale. If social media intermediaries are required to obtain consent from the parent/legal guardian of each child (which is signing up on their platform), it will be a big administrative hurdle for onboarding of users by them (which constitutes a major chunk of their active users). Further, another challenge being faced by social media intermediaries is as regards the scenario where a minor user will falsely sign up on the platform by mentioning her/his incorrect age. Since the Act also doesn’t address this particular scenario, the businesses are concerned as regards whether or not they will be liable for any processing of personal data of children (where the child has falsely stated to the business that she/her is an adult).
It is expected that the Indian Government will publish the rules (under the Digital Personal Data Protection Act, 2023) for public consultation in the month of January, 2024. It is expected that the rules will provide better clarity as regards the appropriate means of compliance with the provisions of the statute (including the ones discussed above).
The insights shared by our Indian member highlights the importance of releasing a comprehensive framework for the protection of personal data in India. In order to provide clarity and facilitate the smooth implementation of the Privacy Act.