Data PrivacyDigital Personal Data Protection Act, 2023 and beyond: Reshaping the facility and Management Industry

INTRODUCTION

According to the latest report by the IMARC Group, titled “India Facility Management Market: Industry Trends, Share, Size, Growth, Opportunity and Forecast 2023-2028” is primed to rise in the coming years. The study provides a detailed analysis of the industry, including the India facility management market size, share, trends, and growth forecasts. The report also includes competitor and regional analysis and highlights the latest advancements in the market. The instruments and services used to guarantee a building’s safety, comfort, functioning, sustainability, etc. are referred to as facility management (hereinafter FM).

It includes things like administration of leases and accounting, occupancy and space management, energy management, emergency management, and business continuity. Wi-Fi, smart devices, Internet of Things (hereinafter IoT) sensors, artificial intelligence (hereinafter AI), and other technologies that are used by FM services to offer cognitive capabilities, accomplish real-time visibility, and other functions. They have a wide range of uses in both the business and residential sectors as a result.

The rise of the real estate industry is boosting the facility management market in India due to the increase in urban development projects and changing customer preferences towards clean, safe, and secure surroundings. In addition, the booming Information Technology (hereinafter IT) and e-commerce industries are driving up the need for necessary infrastructures and organised spaces, which is further boosting market expansion. The Indian industry is also being boosted by the growing use of AI and IoT technology to automate FM services for energy efficiency audits.

Additionally, the industry is expanding as a result of the implementation of several beneficial policies by governmental agencies, such as the Smart communities Mission to support inclusive and sustainable communities. In addition, the emphasis on hybrid workplaces and post-pandemic return-to-work techniques are anticipated to drive the India facilities management market over the forecasted period. Facility and Management Industries obtain personal data or information of the data subject. However, Facility and Management industry adheres to reasonable standards of protecting the personal data of the data subject by stating in privacy policy, entering into agreement etc. This article provides a bird eye’s view on the implementation of the DPDP Act, 2023 on the Facility and Management industry.

KEY STAKEHOLDERS

The following are the key stakeholders of Facility and Management Industry which plays a vital role in influencing and shaping the growth of the sector-

i. Facility Managers

Facility Managers are those professionals who ensures that the services so provided should fulfil the need of the workers it houses by way of inspection, repairing or for any plumbing issues etc. Their primary responsibilities are the security and the maintenance.

ii. Contractors and Vendors

Contractors and Vendors are those who sell products which are comparable or similar to another pre-existing product to different types of the clients. They generally deal or distribute materials or provide the data processing services for the project as may be prescribed.

iii. Building Owners

The building owners are those who own interest in the private or public buildings. They are supposed to take the required measures to minimise risks by way of insurance coverage or building codes, during the time they keep the overall integrity of the buildings that are in order.

iv. Maintenance and Operational Staff

Maintenance and Operational Staff include those workers  who are required to maintain the equipment prior to any issue arises like- cleaning, lubrication, inspections etc. They need to perform day-to-day activities that is required. It includes custodial staff, security personnel  etc. and the other employees need to ensure the physical safety and its functionality.

LEGAL FRAMEWORK

The Facility and Management Industry and the data protection laws have a very complex interrelation which in turn protects the sensitive information and at the same time influences the management of businesses. The data protection laws plays a very vital role by serving as a critical safeguard to the vast amount of personal data which are processed and stored in the increasing digital world. Following are the laws prevalent on Facility and Management Industry –

1. Digital Personal Data Protection Act, 2023 (hereinafter “DPDP Act“).

2. Information Technology Act, 2000.

3. Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011.

IMPLEMENTATION OF DPDP Act, 2023

India is heading towards digitalization in every area like- Facility and Management Industry, banking, education etc., so the need to protect the data stored had also increased with time. The data processing activities needs to be as much transparent as possible so as to collect the complete and correct data. Following are the ways by which we can implement DPDP Act, 2023 on Facility and Management Industry-

a. Notice and Consent

Section 4 of DPDP Act says that the personal data subject must give the consent to process the personal data. Section 5 (2) (b) of the Act says that such consent may be withdrawn at any time, till then the personal data may continue to process. Section 6 of the Act says that the consent given by Data Principal should be free, specific, informed, unconditional and unambiguous and should be utilised only for specified purposes. In the context of Facility and Management Industry, they provide their own privacy policies wherein it has been stated that the consent should be taken, before processing any personal data of an individual and as soon as the individual withdraws their consent, the stored personal data has been deleted immediately.

b. Facility and Management Industry as a Data Fiduciary

It is to be noted that Section 2(i) of the Act states that the data fiduciary is a person who determines the purpose and means of processing the personal data. Meanwhile, Facility and Management Industry can be classified as a Data Fiduciary because they collect the information or personal data of the data subject like login credentials, passwords etc. on the basis of number of times the data subject visits on the website of the Facility and Management Industry. Here, Facility and Management Industry directly get the access of the personal information of the data subject. Consent of the data subject for providing the personal information of the data subject is taken directly by generating a pop-up window as soon as a visitor accesses their website.

c. Rights and Duties of Data Fiduciary

Facility and Management Industry may be categorised as the Data Fiduciaries under Section 2(i) of the DPDP Act, 2023 which defines any person who determines the purpose and means of processing of personal data. Thus, the following obligations shall be applicable upon such companies which falls under Facility and Management Industry as being a Data Fiduciary: –

• ENSURES COMPLETE AND ACCURATE INFORMATION- An Employer shall ensure the completeness, accuracy and consistency of the Data where the same is likely to be used to make a decision that affects the Data Principal, under Section 8 (3) (a) of the Act.
• IMPLEMENT REASONABLE SECURITY- A Data Fiduciary shall protect personal data in its possession or under its control, including in respect of any processing undertaken by it or on its behalf by a Data Processor, by taking reasonable security safeguards to prevent personal data breach, under Section 8 (5) of the Act.
• INTIMATION IN CASE OF BREACH – In the event of a personal data breach, the Data Fiduciary shall give the Board and each affected Data Principal, intimation of such breach in such form and manner as may be prescribed.
• GRIEVANCE REDRESSAL – A Data Fiduciary shall establish an effective mechanism to redress the grievances of Data Principals under Section 8 (10) of the DPDP Act.
• CONSENT NOTICE – At the time of employment the employer should present a notice to the employee mentioning the clauses to collect, store, track and process their data. The employer must ensure the consent given is free, specific, informed, unconditional and unambiguous. The consent should be taken at the time of employment ; also at the end of the tenure of the employment. Under Section 5 (1) of the Act.
• RISKS – Mandates corporations to promptly notify concerned individuals for data breach that poses risk to the personal data of Data Principal and all the personal data. Must not impact sovereignty and integrity of India, security of state, risk to electoral democracy and public order.

GRIEVANCE REDRESSAL MECHANISM

Section 8 (10) of the Act, states that the companies being the Data Fiduciary must establish an effective grievance redressal mechanism for the data subjects so as to address their issues properly. Also Section 13 of the Act, states that it is the right of the data subject to get the means of grievance redressal by the companies to which they are giving their personal data to store or process and it also states that the data subject while approaching to the Board for the issue related to personal data breach, must consult to the grievance redressal mechanism first, so resolve any type of issue related to data breach.

GREY AREAS IN DPDP ACT

The DPDP Act, 2023 lays out procedures on how corporations and the government itself can collect and use information or the personal data of India’s citizens. It applies to all processing of personal data within India where such data is collected online or offline and is digitized but has some flaws regarding the enforcement, time limits etc., within the Act which needs to be addressed by the Government.  Following are the drawbacks of DPDP Act, 2023 in relation to the Facility and Management Industry-

NO TIME LIMIT FOR THE NOTICE OF BREACH

Section 8 (6) of the DPDP Act states that the Data Fiduciary must give intimation about the breach to the Board and to the data subject in the manner as may be prescribed. But the Act does not talk anything about the specific time period informed for providing the notice to the Board in case of data breach. So, its significant to consider the same to be at the earliest as and when the reporting of data breach is made. Also, the data subjects must not be kept in dark and there must be transparency in case of data breach. In the context of Facility and Management Industry, the companies must address to the Board or create a mechanism to look into the cases wherein the breach of data has occurred at any time for the protection of the personal data provided by the customers to fulfil their requirements.

CROSS BORDER TRANSFER OF PERSONAL DATA

Section 16 of the DPDP Act states that the Central Government, by notification, may restrict the transfer of personal data to any country outside India.

However, Section 75 of IT Act 2000, states that an offence committed outside India by any person on a compute or related computer network located in India shall be punishable. In the context of Facility and Management Industry, major companies are transferring the data to other countries, such countries have different standards of data protection then DPDP Act. Hence, DPDP Act must clarify about the cross-border transfer of data.

NO TIME LIMIT FOR ERASING DATA AFTER THE CONSENT IS WITHDRAWN

 Section 6 (4) of DPDP Act states that the data subject have the right withdraw his consent to process the personal data at any time. Section 8 (7) (a) of DPDP Act goes one step ahead to state that the Data Fiduciary should erase the data as and when the withdrawal of consent is received. But the Act does not mentions anything about the time period within which the Data Fiduciary is obliged to erase the data. Therefore, in the context of Facility and Management Industry, once the data is stored and if the data subject withdraws of consent to process the personal data, there is no time period specified in which Facility and Management Industry should erase the personal data.

SAFEGUARDS AND LEGAL INSTRUMENTS

All data fiduciaries (entities that determine the purpose and means of processing personal data) must obtain consent from individuals before collecting their personal data and must provide individuals with notice regarding the purpose for which their personal data is being collected. In Facility and Management Industry, companies also give notice to the data subject before obtaining sensitive personal data and also provide the object/ purpose of obtaining the personal data. In Facility and Management Industry, privacy policy of the companies clearly state that they don’t share the personal information of the data subject with the third party. Majorly, all the Facility and Management companies state the legitimate purpose for which they are using the data.

Businesses must modify their strategies to comply with the new standards due to their emphasis on permission, data subject rights, openness, and responsibility. To do this, extensive data audits must be conducted, privacy policies and procedures must be reviewed and updated, staff members must be trained, and data protection specialists must then be consulted.

Following are the legal instruments, other than the DPDP Act, which have a significant impact on data privacy obligations on the Facility and Management Industry-

Information Technology Act, 2000.

• Section 43A of the Act 2000, states that the companies who fails to implement and maintain the Reasonable Security Practices and the Procedures while handling the sensitive personal data information and causes wrongful loss and gain to any person shall be liable to pay damages to the affected person. In the context of Facility and Management Industry, the companies must implement the reasonable data security practices which should not cause any wrongful loss or wrongful gain to the data subject.
• Section 72A of the Act 2000, penalises the sharing of personal information which has been shared under a lawful contract to a third party without the consent of the original data subject.
• Section 72 of the DPDP Act prescribes the penalty imposed in breach of the privacy. Therefore, Facility and Management Industry, companies must not transfer or breach the personal information of the data subject by supplying the data to any third party or agent without the consent of the data subject.

Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules (hereinafter “IT Rules”), 2011.

Section 5 of IT Rules states the Collection of Information wherein it has been stated as following-

• That while collecting the personal data, the body corporate collecting the data must ensure that the person who’s data is being collected is having the knowledge of the lawful purpose for which the personal data has been taken in writing.
• That the stored information must not be retained for longer than is required for the purposes for which the information was originally lawfully collected except if any other law for the time being in force requires the same and must be used only for the purpose for which it has been so collected.

The Data Minimisation has been recognized as an important principle to protect the personal privacy of an individual. Meanwhile, Facility and Management companies mentions in their privacy policy that they don’t retain the data longer than required to serve the legitimate purpose and immediately  delete the personal information after the said purpose is served.

Section 5 to 7 of the Rules 2011, regulates collecting, storing, processing, handling, retaining, using, transferring the data. The definition of personal data includes; passwords, sexual orientation, medical records, biometric information, physical or mental health etc. but it does not include the data that is available freely, or is available under IT Act, 2000 or is accessible in public domain. Section 5 also gives the right to data subject for review, update or to withdraw the consent. There is no data localization, as it freely allows sensitive personal data or information to be sharing outside India.

The Rule 5 (2) of Privacy Rules 2011, states that the companies should collect sensitive personal data information when it is required for the lawful purpose. However, in the Facility and Management Industry, companies can only collect the sensitive personal information of the data subject to carry out lawful object which is connected with the functions of Facility and Management Industry.

AMLEGALS REMARKS

The DPDP Act specifically mentions the protection of personal data and mandates that businesses notify data subjects of the reason they are collecting their data, identify the goal of that collection, and seek their consent before processing that data, however, it also has its fair share of flaws since it is unclear about the transfer of cross-border data and much of the specific rules and regulations are yet to be notified.

However, even in its present stage, Facilities and management companies will now be required to set up complaint procedures like grievance redressal mechanism, that support the investigation of any personal data breach and provide clients complete control over their personal information.

Companies in the Industry must provide data privacy notifications which specifically mandate that the data principal be informed and given the choice of whether they want to limit how their personal information is used. Data fiduciaries who aren’t businesses (consent managers) will record the date consent was granted as well as the justification and criteria for maintaining the data. Additionally, if a parent or guardian provides identification, the firms must put in place measures to verify its validity, if they store any data of the children.

Team AMLEGALS assisted by – Ms. Aradhana Jain (Intern)

For any query or feedback, please feel free to get in touch with tanmay.banthia@amlegals.com or mridusha.guha@amlegals.com