Topics In Demand
Notification
New

No notification found.

MEITY : nasscom representation on enabling a robust implementation of the DPDPA
MEITY : nasscom representation on enabling a robust implementation of the DPDPA

November 17, 2023

453

0

In November, nasscom made a representation to the Ministry of Electronics and Information Technology on enabling a robust implementation of the Digital Personal Data Protection Act of 2023 (DPDPA). Our representation, which was developed based on a series of discussions with a heterogenous group of entities in the technology sector and webinars with experts, included the following observations and suggestions.

Current industry readiness

Based on our conversations with the industry, organisations, to be ready for the rules, have been:

  • building internal awareness and identifying required organisational posts and governance requirements;
  • identifying contracts, technical systems, and organisational practices which may require review;
  • assessing how they can leverage technology to improve data protection; and most importantly,
  • trying to understand where all and what all personal data sits in their organisations.

These are important steps in the compliance journey.

Relevance of notifications other than the rules

To practically determine the precise range of required compliance measures and operational aspects, organisations require, in addition to the finalised rules, clarity on certain matters under the DPDPA that are dealt with directly through notifications that are separate from the rules envisioned under section 40. These are:

  • Notifications identifying significant data fiduciaries (SDFs) under section 10(1). Organisations need to know if they will be SDFs or not, as this determines whether the obligations under section 10(2) will apply to them.
  • Notifications identifying qualifying organisations (or processing activities) under sections 17(3), 9(4) or 9(5). Organisations need to know if they are eligible for such exceptions.

It is only after the rules are finalised, and these additional notifications are made clear, that organisations can estimate the time and resources required to establish and operate their DPDPA compliance programs.

Need for guidance

In addition, there is a need for guidance, over and above rules, to help organisations interpret terms and concepts in the DPDPA – that have no rule-making power attached to them - with confidence.

The idea is not to indirectly create new rules, redefine statutory provisions, or constrain the Board or the TDSAT, but to clarify how the Central Government is itself interpreting these sections, and identify best practices and international reference points that can be brought to the Indian context with confidence.

We identified the following areas meriting guidance:

  • The “purposes of employment” under section 7(i).
  • The “voluntary provision of personal data” ground under section 7(a).
  • The meaning of “technical and organisational measures”.
  • The concept of “security safeguards”.
  • The meaning of ‘detrimental effect on the well-being of a child’.
  • The meaning of the term “erasure” under the Act.

The Government can explore multiple different avenues to issue guidance, including establishing an inter-sectoral committee for cross-sectoral harmonisation; issuing best practices for government data fiduciaries; and setting up a multi-stakeholder working group.

Considerations for compliance timeframes

Basis the work done so far, and the current state of compliance, it is clear that, in terms of the time required to be ready for enforcement, organisations must be appreciated as follows:

  1. Organisations with no prior data protection experience: the organisations that will require the most amount of time will be those with no prior personal data protection experience (either with the SPDI Rules, sectoral regulations, or foreign laws). Examples include government organisations, logistics companies, professionals, offline retailers, research institutes, schools, etc. These will be building compliance programs from scratch.
  2. Organisations with limited data protection experience: there are many big and small organisations in India who will not have exposure to horizontally applicable foreign data protection laws (like the GDPR) but will have limited compliance programs in place today (mainly to comply with the Sensitive Personal Data Information Rules or sectoral regulations). Examples include those in e-commerce, financial services, healthcare industries, etc. These will need to adapt compliance programs to apply to all types of digital personal data and to account for new obligations (e.g., data principal rights). They will require more time than those with exposure to foreign data protection laws.
  3. Organisations with prior foreign data protection experience: There are organisations in India, covered by the DPDPA, who are GDPR compliant, and are best placed (relative to the above two sets) to become DPDPA compliant. However, they will also still require time to build their individual DPDPA compliance programs due to certain India-specific elements in the DPDPA, such as:
  • The need to map legal grounds for processing activities afresh, as the available grounds for processing under the DPDPA are different from those under foreign laws. Remapping legal grounds takes time and is complex.
  • The need to map processing activities to different data principals afresh. This is because, unlike in foreign laws where a Data Principal is a single individual, under the DPDPA, a Data Principal can also be a group of individuals (such as parents and children, or persons with disabilities and their legal guardians). This requires new methodologies and systems to be built for the DPDPA specifically.
  • The DPDPA also states that the withdrawal of consent triggers the erasure of personal data, which is a novel requirement and not specifically mandated under foreign laws. This requires new technical measures to be deployed, which will take time to develop and test before deployment can happen at scale.
  • The DPDPA introduces new specific protections for the processing of personal data of children and of persons with disabilities, that are comparatively novel, and will require India-specific measures, systems, and applications to be built.
  • Providing notices and consent requests in multiple languages will, at first, require some time, as suitable vendors are identified and legal reviews across multiple languages are conducted.

General feedback for rulemaking

As per news reports, the Central Government may release all rules at once for public consultation. Given that this is (in theory) 26 sets of rules being released at once, we requested that adequate and proportionate time be given to receive public comments (the default practice is to give 30 days for one set of rules).

We also identified certain desired clarities and outcomes that may be reflected in rules before they are put up for public consultation. These include:

  • Any rules on notices should avoid prescribing templates, media types, or formats, and instead aim to clarify the desired outcomes from notices that tie in with the standards of valid consent under section 6 of the Act.
  • Any rules on consent managers should not just be limited to the existing Account Aggregator model and should create adequate space for a wide range of functionalities and business models to emerge and thrive.
  • Any rules on verifiable consent should take a proportionate approach, where the level of verifiability desired should be calibrated vis-à-vis the level of risk posed by the processing activity. Instead of defining specific methods, these rules should define minimum criteria. Any solution meeting these should be acceptable.
  • Any rules on personal data breach reporting should reflect the difference in intent and design vis-à-vis the extant regime for security incident reporting regime, and refrain from a one-size-fits-all approach. We offered the Singaporean Data Breach Reporting Regime as a useful case study from this perspective.

For any queries or concerns regarding this submission, please write to varun@nasscom.in and priyanshi@nasscom.in.


That the contents of third-party articles/blogs published here on the website, and the interpretation of all information in the article/blogs such as data, maps, numbers, opinions etc. displayed in the article/blogs and views or the opinions expressed within the content are solely of the author's; and do not reflect the opinions and beliefs of NASSCOM or its affiliates in any manner. NASSCOM does not take any liability w.r.t. content in any manner and will not be liable in any manner whatsoever for any kind of liability arising out of any act, error or omission. The contents of third-party article/blogs published, are provided solely as convenience; and the presence of these articles/blogs should not, under any circumstances, be considered as an endorsement of the contents by NASSCOM in any manner; and if you chose to access these articles/blogs , you do so at your own risk.


images
Varun Sen Bahl
Manager - Public Policy

Reach out to me for all things about data regulation, cybersecurity policy, and internet governance.

© Copyright nasscom. All Rights Reserved.