Data PrivacyDigital Personal Data Protection Act, 2023: A Deep Dive into its Consequences for the IT-ITES Sector

INTRODUCTION

The IT-ITES sector stands for Information Technology and Information Technology Enabled Services which essentially entails the services that leverage technology to provide services such as different Business Process Outsourcing (hereinafter referred to as “BPO”), Knowledge Process Outsourcing (hereinafter referred to as “KPO”), call centre operations, logistics management, Legal Process Outsourcing (hereinafter referred to as “LPO”) and various other functions. It is a crucial and underrated sector of the modern globalised economy, which contributes towards the skilled employment and the upward economic mobility especially of those in the middle-class section of the population.

This sector consists primarily of applications management, infrastructure development, data analytics, customer support, software development, and so on. It employs a diverse workforce with diverse skill sets, and rapid innovation in new technologies such as artificial intelligence, blockchain, and so on. This has resulted in an automatic increase in the need to maintain the security and privacy of this data, so there is a strong emphasis on data protection.

Therefore, the IT-ITES sector is a dynamic and evolving industry which revolutionises the operations of business and the way to interact with the customers. It plays the crucial role in shaping the digital future by evolving the technology advances; however, such functions should be performed in consonance with the newly introduced Digital Personal Data Protection Act, 2023 (hereinafter referred to as “DPDP Act”), which aims to regulate and govern the data protection landscape of the country.

KEY STAKEHOLDERS OF IT-ITES SECTOR

The following types of companies and industries can be seen as key stakeholders of the IT-ITES sector which play a vital role in influencing and shaping the growth of the sector are as follows –

BPO and KPO Companies

Both BPO and KPO companies are those which assist in outsourcing the business and knowledge/information functions of a company which may not have a forte in the said functions to be handled by another company which can perform the same with a much higher efficiency.

In other words, it refers to the practice of contracting specific business processes to third-party service providers for that specific task. The reasoning behind BPO companies is that it has global expansion, higher efficiency and lower costs. This outsourcing allows the companies to focus more on their core tasks while delegating their non-core tasks to other companies.

Being a facilitator in the industry, the BPO and KPO organisations are involved in the process of exchanging personal data in bulk, thus being a Data Fiduciary or even a Data Processor, as applicable based on the situation.

IT Companies

IT Companies form the crux of the industry. Often spread across multiple jurisdictions, with several thousands of employees, the IT Companies fall under the category of Data Fiduciary or Significant Data Fiduciary under the DPDP Act.

Data protection compliance for IT companies is expected to take a significant amount of time and resources to implement while also requiring such companies to re-do strategies and business conduct due the following reasons:

1. such companies employ lakhs of people and go on to recruit thousands more every year who all become data subjects.
2. As is evident in the name IT companies’ business models require the collection, usage and transfer/processing of huge amounts of ‘information’ and thus the theses companies would require the most far-reaching privacy policy and security norm’s implementation.

Employees

Employees are the biggest stakeholders in data privacy compliance, an inherent requirement of becoming an employee requires the person to share large swathes of crucial and personal data of not just the subject themselves but also of their family/guardian.

In this ecosystem, the employees are the Data Principals, thus being entitled to several rights and duties as per the DPDP Act.

LEGAL FRAMEWORK

The IT-ITES sector and the data protection laws have a very complex interrelation which in turn protects the sensitive information and at the same time influences the management of businesses. In view of this, data protection laws plays a very vital role by serving as a critical safeguard to the vast amount of personal data which are processed and stored in the increasing digital world.

The following legal framework governs the data privacy in the IT-ITES sector-

1. DPDP Act
2. Information Technology Act, 2000 (hereinafter referred to as “the Act”)
3. Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011 (hereinafter referred to as “SPDI Rules”)

IMPLEMENTATION OF DPDP ACT

India is heading towards digitalization in every area like IT-ITES, banking, education etc., hence the need to protect the data stored had also increased with time. The data processing activities needs to be as much transparent as possible, so as to collect the complete and correct data.

Data Processing

Section 8 (2) of DPDP Act states that the Data Fiduciary shall appoint Data Processor to process the personal data through a valid contract. In the context of IT-ITES sector, if any other company engages such companies into the third party processing or for any other management work, then it would be deemed a Data Processor.

IT-ITES companies would thus need to implement reasonable safeguards to prevent breach of the personal data of the data subject to such external data processers. At the same time, if they transfer the personal data to other countries then the DPDP Act mandates them to ensure that all the regulations of those countries must be taken care of.

Notice and Consent

As per Section 5 and 6 of DPDP Act, Notice and Consent are two of the most crucial principles of processing the data of a Data Principal. In the context of IT-ITES companies, they should craft tailor-made and elaborate and informed Consent notices as per the ambit of their processing activities which are in compliance to the principals of the DPDP Act as well as the spirit of the relevant provisions.

The duty of care is even higher when the processing is in relation to the data of children, wherein obtaining verifiable parental consent is a pre-requisite.

IT-ITES companies as a Data Fiduciary

It is to be noted that Section 2(i) of the DPDP Act states that the data fiduciary is a person who determines the purpose and means of processing the personal data. Meanwhile, IT-ITES companies can be classified as a Data Fiduciary because they collect the information or personal data of the Data Principals on regular basis.

Rights and Duties of Data Principals

Section 11 of the DPDP Act talks about the Rights to access information about personal data available to Data Principal which will be similarly applicable to the Data Principals who are providing information to the companies as well.

In addition to this, Section 12 of the DPDP Act gives the Data Principals the right to correct, complete, update and erase  of their personal data to which they have prior given consent.

Section 15 of the DPDP Act makes it the duty of the Data Principals to not suppress any material information while providing their personal data for any document, proof of identity/ address or any unique identifier.

As a break from unnecessary compliance the Section 17(2)(b) of the DPDP Act gives exemption to those entities which are collecting data for the purposes of research, archiving or statical purposes on the condition that the personal data should not be used to take any decision which is specific to a Data Principal states that the provisions of the DPDP Act will not be applied where the collection and processing of data is necessary for research, archiving or statical purposes on the condition that the personal data should not be used to take any decision which is specific to a Data Principal.

IT-ITES companies must comply with the provisions of the DPDP Act and the rules to process any data irrespective of any agreement to the contrary and may engage, appoint, use or otherwise involve a Data Processor to process personal data on its behalf for any activity related to offering of goods or services to Data Principals only under a valid contract. Companies shall implement appropriate technical and organisational measures to ensure effective observance of the provisions of the DPDP Act and the subsequent Rules notified in the near future.

LIMITATIONS TO THE INDUSTRY

As would be with every new law with revolutionary consequences and novel tenets, the DPDP Act also carries drawbacks in implementation. Following are a few of the drawbacks of the contentious issues of the DPDP Act on the IT-ITES sector –

No time limit for the notice of breach

Section 8 (6) of the DPDP Act states that the Data Fiduciary must give intimation about any breach to the Data Protection Board of India (hereinafter referred to as “the Board”) and to the Data Principal/s in the manner as may be prescribed. However, the DPDP Act does not mention anything about the specific time period for providing the notice to the Board in case of data breach.

Thus, as the law is silent on the aspect, it ought to be considered that such notification should be made at the earliest, within a reasonable period of time. However, terms like ‘at the earliest’ or ‘reasonable period of time’ is often considered a grey area due to differing views and perceptions.

Cross border transfer of Personal Data

Section 16 of the DPDP Act states that the Central Government may restrict the transfer of personal data to any country outside India but haven’t specified anything about such countries, thus keeping it open-ended. The same can pose to be a challenge for the IT-ITES companies considering they are often multi-jurisdictional and cross-border data transfers take place almost on a regular basis.

 No time limit for erasing data after the consent is withdrawn

 Section 6 (4) of DPDP Act states that the Data Principal has the right withdraw his consent to process the personal data at any time and Section 8 (7) (a) of DPDP Act states that the Data Fiduciary should erase the data as and when the withdrawal of consent is received.

The absence of a timeline can be a bottleneck for the companies considering the bulk nature of the data being stored by the IT-ITES companies. The ideal way to go forward would be to revise storage and usage systems to ensure mitigation of unnecessary intermingling and crossing of different datasets.

AMLEGALS REMARKS

In view of the above it is clear that the DPDP Act is geared towards giving more control and transparency of use of data of the Principals. There is no doubt that as such, the DPDP Act will increase compliance as it explicitly talks about the protection of personal data and making disclosure of collection, usage and purpose of data mandatory.

In this evolving landscape, the IT-ITES sector must adapt to the new legal framework with an optimistic view, as the procedures mandated under the DPDP Act will also benefit the industry in the long run with universal and well-defined SOP’s and a proper authority.

Balancing data protection with the dynamic needs of the industry is an ongoing challenge, but it is crucial for building trust, ensuring data security, and promoting responsible data handling practices. The successful integration of data protection into the IT-ITES sector will be instrumental in achieving the goals of the DPDP Act, protecting individuals’ privacy, and fostering a culture of responsible data management in the digital age.

– Team AMLEGALS assisted by Ms. Aradhana Jain (Intern)