India's new data protection law is simple and principle based. But it will require companies big and small to make radical changes to the way they operate. And I don't think businesses fully realise the changes they are going to have to make.
This is a slightly edited version of a post that first appeared in the Mint. You can read the original here.
On Monday, the Lok Sabha voted to pass the new Digital Personal Data Protection Bill. By the end of the week it had made it through the Rajya Sabha, received Presidential assent and was notified in the Official Gazette. When he withdrew the previous draft of the data protection law, Union minister Ashwini Vaishnaw had promised that we would have a new law in force before the conclusion of India’s Monsoon Session of Parliament. This week, he delivered.
Changes to Business
While commentators have been falling over themselves to dissect various provisions of the draft law—and, in particular, the new changes it has introduced—I don’t think anyone has appreciated fully the extent to which businesses across the length and breadth of this country need to re-orient themselves to the new and fairly rigorous compliance regime that is about to come into force. This is a law that will apply to all businesses that process digital personal data in the country. Given how deeply data technologies have ingrained themselves in all facets of modern life, virtually every organisation in India will be affected. All of them will have to revisit their data practices, study their workflows and review their standard operating procedures to make sure they align with the requirements of the new law.
Take the marketing function, for example. Most sales teams today acquire new customers by making cold calls to potential leads in an attempt to convert them into clients. They source these leads from data brokers who aggregate these databases through dubious means—often without valid consent. Once the new law comes into force, nobody will be able to process personal information without the consent of those to whom it pertains. This means that, going forward, sales agents will be in violation of the law if they cannot demonstrate that the people they are calling have consented to being contacted. Even if they have such consent, they will need to make sure that their use of the personal data is in line with the express purposes for which it was permitted, and not, for instance, to upsell other unrelated services.
The new law makes it clear that wherever a question arises as to whether or not personal data was validly processed, it will be the responsibility of the Data Fiduciary (to whom data was entrusted) to demonstrate that it has the consent of the Data Principal (whose data it is) for processing it towards the purpose specified. This means that firms must adopt appropriate organisational and technological mechanisms to effectively respond to such questions if and when they are posed by an individual whose data they are processing. Few companies in India have such mechanisms in place.
For businesses that have international operations, many of these requirements will not be new. Data protection laws around the world have similar stipulations and chances are that they would have already put systems in place to ensure that their operations are legally compliant. But even these businesses will need to do additional work in order to bring their operations in line with the requirements of the Digital Personal Data Protection Bill.
Languages
Take, for instance, its language requirement. Once the new law comes into force, Data Fiduciaries will need to ensure that every notice for data collection and every request for consent is made available not only in English but also in each of the languages specified in the Eighth Schedule to the Constitution. Even if a company already has in place a privacy policy that meets the law’s requirements, it will have to create versions of this policy in all these different languages by the time the new provisions come to bear on its operations.
Another provision of the law is a stipulation that any agreement between a Data Fiduciary and a Data Principal that runs contrary to provisions of the law will be invalid to that extent. This means that if a company has specifically introduced language into its terms of service and privacy policies in order to (with the consent of the Data Principal) carry out a business process that is not strictly in line with the provisions of the new law, it will no longer be able to rely on those contractual terms. My advice to all business entities operating in India would be to review their terms of service from this perspective, and, since they can no longer make contracts that violate the law, make appropriate changes in the way their business functions in order to ensure compliance.
Data Retention
Perhaps the biggest change that companies will have to make is in relation to data retention. The new law requires Data Fiduciaries to erase personal data as soon as it is reasonable to assume that the specified purpose for which it was collected is no longer being served. It goes on to specify that this will be assumed to have taken place if the Data Principal has not approached the Data Fiduciary for the specified performance or has not exercised his or her rights for a specific period of time (which will be separately notified). In order to comply with this part, Data Fiduciaries will need to put in place a process by which they can record the last time each item of data under their control was used for a specified process, so that they can count down from then to determine when they must delete it. To the best of my knowledge, no company has such measures in place today, and I am struggling to understand how, given the vast amounts of data that they have under their control, they will engineer such a system in good time.
I have been eagerly awaiting the enactment of this law for over a decade. Now that it is upon us, I am beginning to realise how much work is left for everyone to adapt.