Conventus Law

Conventus Law

by

Perspective of Mr. Cyril Shroff, Managing Partner, Cyril Amarchand Mangaldas

  • The Digital Personal Data Protection Bill proposes simple, concise, principles based legislation, and is based on wide ranging public consultation. It has the potential to enable an effective data privacy framework in India without stifling innovation. The exceptions for outsourcing industry and changes to the cross-border data transfer regime demonstrate the intent of allowing India to become an enabling, friendly, innovation focused, world class digital economy.”
  • The Digital Personal Data Protection Bill will require businesses to rethink how they treat user data. From the current approach of “more data is good”, businesses will need to see themselves as fiduciaries for data, and be mindful about how much they collect, what they use it for, and how (and for how long) they keep data.”

Perspective of Mr. Arjun Goswami, Director-Public Policy, Cyril Amarchand Mangaldas

  • The introduction of the Bill is a key step in the journey to a world class comprehensive general data protection regime for India. It is evident that the Bill has evolved following an extensive and wide ranging consultation process, and its uniquely Indian approach of balancing the rights of Digital Nagariks using principles like purpose limitation and storage limitation, while still being a business friendly, simple, principles based regime overall, has the potential to drive sustainable growth. The enabling of various types of exclusions and staggered compliance (including for startups), can go a long way towards easing the transition with the new data privacy regime, and the regime of strong potential penalties, with powers to block resources, can help drive compliance.”

The Digital Personal Data Protection Bill is a much needed step towards reimagining the approach to technology regulation for a rapidly growing, global digital economy.

Its simplicity and principles based approach, combined with the creation of strong data principal rights, and a new regulatory architecture, i.e. the Data Protection Board, can usher in a new era for data protection and compliance in India.”

  • The clarification on the primacy of sectoral regulation is a welcome move to dispel any confusion. The autonomy provided to sector regulators to frame specific requirements based on sectoral needs is also in line with the principle of enabling purpose build requirements for data fiduciaries.”
  • “The rules that will be formulated for key aspects such as notice and consent, processing children’s data, and compliance for Significant Data Fiduciaries will provide more guidance for businesses.”
  • The change in terminology from deemed consent to legitimate use is beneficial. Further, while the grounds have been narrowed, the new language is definitely more precise and clear.”

Perspective of Arun Prabhu, Partner & Head-Technology & Telecom, Cyril Amarchand Mangaldas

  • The Digital Personal Data Protection Bill proposes a balanced approach which requires clear notice to, and consent from, persons for processing their data, and creates clear rules around how, and for how long that, data can be used. Thereafter, it allows for significant flexibility on how that data may be processed. It also proposes a strong, simplified enforcement mechanism and data subject rights. Implemented properly, this has the potential to be a balanced, world class general data protection regime.”
  • “The Digital Personal Data Protection Bill ushers in a fundamentally different compliance regime compared to existing requirements. Since the Bill is uniquely Indian, and differs in many ways from the GDPR, businesses will need to understand it, and review how they operate in India carefully.
  • The provisions for graded exceptions for certain classes of Data Fiduciaries, is a mature and industry friendly move to help startups mature into compliance obligations. While the rules are yet to be notified, the graded manner of compliance can help young businesses grow into their roles as data fiduciaries.”

Children

  • While the regime still focuses on protecting Children and proposes far reaching general restrictions on how their data is collected (with parental consent) and processed, some flexibility has been built in now. Potential exceptions can be created for classes of data fiduciaries, and certain types of processing. Additionally, a lower age threshold can be prescribed when processing is demonstrated to be safe. This is a welcome move and recognizes the rights of children as Digital Nagriks while continuing to protect their rights.”

Consent

  • The Bill requires that informed and affirmative consent be taken based on a simple consent notice. A convenient way to withdraw this consent, raise grievances, and exercise certain rights like correction and erasure needs to be provided.

While parts of how this will work will come in the rules, this principle based, empowering approach can be the right balance between enabling individual autonomy while also providing for ease of doing business.

  • “Given the strong rights of data principals, dedicated regulated, significant monetary fines for non-compliance, and the potential for a ban, Companies will need to carefully examine and in some instances rearchitect their data practices for compliance with the new law.”
  • The idea of the consent manager in the Bill is a welcome innovationWhile they are subject to a strict compliance regime, consent managers have the potential to enable individuals to monitor and manage consents in a simple, central manner, thereby reducing consent fatigue which is a global problem, and ensuring that businesses treat data responsibly.”
  • The exclusion for personal data put in public domain by a Data Principal, is a move which may help several types of businesses avoid regulatory uncertainty on their processing of public data.”

Legitimate Use

  • “The Bill clearly allows Employers to process the data of employees on the basis of legitimate use to protect their interests and prevent actions like espionage. This is narrower than the previous exception, and employers may be well advised to seek clear consents for other types of processing. 
  • The inclusion of objective standards and policies for legitimate use exceptions is a welcome move and should help for data adequacy and equivalence decisions globally.”

Cross Border

  • The revamped clause that proposes a whitelist approach towards cross border transfer of personal data, without additional gating obligations, is a welcome move that will help free flow of data.”
  • The new cross-border transfer clause, and the clear outsourcing exception can help India become a trusted global destination for innovation. The obligations on Data Fiduciaries to maintain reasonable security standards and technical and organizational measures for protection of personal data,  will help align with global standards and more clarity may come under the rules.”

Significant Data Fiduciaries

  • Companies that may be classified as significant data fiduciaries will have significantly higher compliance obligations such as appointing resident data protection officers, conducting data impact assessments and appointing independent data auditors. This will mean companies that can be classified as significant (i.e. those handling large volumes of personal data, or doing so in sensitive or impactful ways) need to start preparing for the Bill especially early.”
  • The Digital Personal Data Protection Bill in a departure from the draft, has clear and detailed clauses on constitution of a Data Protection Board, that has the power to conduct inquires, pass interim directions and recommend blocking. The designation of TDSAT as the appellate authority and clear, time bound rules for appeals, provides much needed clarity on the manner in which the new regulator will operate.”
  • The constitution of a Data Protection Board and an appellate authority, is a welcome move. The clauses on voluntary undertaking and guiding principles for determination of penalty demonstrates the intent of providing flexibility to the Data Protection Board to regulate compliance, while enabling businesses to operate in a sustainable manner.”

Other Key Aspects

  • The Digital Personal Data Protection Bill introduces clear standards for consent and notice, requirements like purpose and storage limitation, requires organizations to adopt technical and organizational measures and reasonable security practices.

There are obligations for data impact assessment and independent audits by significant data fiduciaries.

These along with the rules that will be formulated, will have to be carefully analyzed and companies (especially those that deal with large volumes of user data) will need to quickly start thinking about upgrading their consent and compliance frameworks.”

  • The requirement of a fresh notice for personal data for which consent was taken under the current law, means businesses will need to ensure all personal data they process going forward is treated consistently. The clarification that this data can continue to be processed till the individual withdraws consent is a welcome move and will mitigate business disruption.”

WRITTEN BY

For further information, please contact:

Cyril S. Shroff, Managing Partner of Cyril Amarchand Mangaldas,
cyril.shroff@cyrilshroff.com

Mr. Cyril Shroff is the Managing Partner of Cyril Amarchand Mangaldas (“The Firm”) and previously was the Managing Partner of Amarchand & Mangaldas & Suresh A. Shroff & Co., India’s largest and foremost law firm. The Firm has nearly 600 lawyers with offices in Mumbai, New Delhi, Bengaluru, Hyderabad, Chennai and Ahmedabad.

With over 33 years of experience in a range of areas, including corporate laws, securities markets, banking, infrastructure and others, Mr. Shroff is regarded and has been consistently rated as India’s top corporate, banking and project finance lawyer by several international surveys, including those conducted by International Financial Law Review (IFLR), Euromoney, Chambers Global, Asia Legal 500, Asia Law and others.  He has won numerous awards from Legal Publications.

Mr. Shroff has been recognized as a “legendary figure in the Indian legal community” and is consistently ranked as “star practitioner” in India by Chambers Global. Mr. Shroff is often regarded as the “M&A King of India”. He has authored several publications on legal topics. He is a member of the Advisory Board of the Centre for Study of the Legal Profession established by the Harvard Law School, a member of the Advisory Board of the National Institute of Securities Markets (NISM) and on Board of IIM, Trichy.

He is an advisory member of the Finance Planning Standard Board of India (FPSB India) and Macquarie.

He is a member of the Media Legal Defence Initiative (MLDI) International Advisory Board. Mr. Shroff is also part of various committees of the Confederation of Indian Industry (CII) – the National Council on Corporate Governance, the National Committee on Capital Markets, Private Equity & Venture Capital, Commodities Markets, Financial Investors and Regulatory Affairs.

Mr. Shroff was admitted to the Bar in 1982 after receiving his B.A., LLB degree from the Government Law College in Mumbai. He is a Solicitor, High Court of Bombay, since 1983.

Register for your monthly Asia legal updates from Conventus Law

Error: Contact form not found.

RELATED ARTICLES