Data PrivacyImpact of the Digital Personal Data Protection Act on SaaS

INTRODUCTION

Software as a Service (hereinafter, “SaaS”) is a cloud computing model that revolutionizes the way software applications are delivered and accessed. Instead of purchasing and installing software on individual devices, the software is hosted and maintained by third-party providers and made available to users over the internet via web browsers or dedicated client applications, paying for subscriptions on a recurring basis.

The Indian SaaS market is projected to expand from $13 billion in 2022 to $25 billion by 2025. Consequently, as the number of SaaS providers grow, there is now a demand for these providers to establish well-defined privacy policies and procedures for safeguarding data privacy, ensuring that they handle customers’ personal information with the utmost care and adhere to the guidelines set forth in the Digital Personal Data Protection Act, 2023 (hereinafter “DPDPA”).

IMPACT ON SOFTWARE AS A SERVICE PROVIDER

As one of the largest growing industries and SaaS companies’ majority user base being people below the age of 30 who are conscious about personal data safety, SaaS companies would do well to be equipped with their obligations under the DPDPA and its forthcoming Rules and regulations. Following are some of the main legal obligations that SaaS companies must take note of:

a. Consent-

The main requirement is that service providers must secure consent from users as well as employees, which must meet criteria like being freely given, specific, informed, unconditional, and clear with positive action.

Therefore if a software company provides ride-sharing services to users, the company must provide a clear understanding of the location, SMS and authentication data that it needs to collect before the user can access the service.

However, in certain specific situations, service providers are not required to obtain consent in the case of “legitimate use” as a basis to justify processing digital personal data. This option is only applicable in limited scenarios, such as when data principles voluntarily share their personal data such as when optional permissions such as camera and audio are turned on to send and receive videos or when processing digital personal data is necessary to shield the company from legal liability.

b. Processing Children’s Personal Data-

The DPDPA mandates that SaaS providers must obtain parental or guardian consent prior to handling a child’s personal data. Furthermore, it prohibits Data Fiduciaries from engaging in any processing of a child’s personal data that could harm the child’s well-being. Additionally, it explicitly forbids tracking, behavioural monitoring, or targeted advertising directed at children. This would have a huge impact on companies in the social networking or digital communication spheres such as TikTok, Meta, and X to name a few.

To reduce legal liability under this requirement entirely companies may opt to strictly enforce minimum age restrictions for users.

c. Cross Border Data Transfer-

Service providers based outside India serving individuals in India will also be expected to adhere to the provisions of this bill.

Personal data transfers outside of the country are subject to further scrutiny under the DPDPA. Under the DPDPA, the transfer of Personal Data outside India can be restricted to a certain country or territory upon notification by the Central Government.

AMLEGALS REMARKS

With the rapid acceleration of digital transformation and the growth of cloud computing, SaaS has swiftly become the preferred software delivery model, surpassing traditional on-premise products. The introduction of the DPDPA represents a pivotal moment in India’s data privacy and protection landscape and will have a profound impact on SaaS providers. The new DPDPA imposes several responsibilities on SaaS providers regarding the processing and management of personal data, all while safeguarding the online rights of data principals. Upholding the rights and privacy of data subjects within a SaaS provider’s environment is not only a legal requirement but also serves as a means for these providers to showcase their dedication to data protection and privacy, ultimately bolstering customer confidence and trust.

-Team AMLEGALS, assisted by Ms. Bhavy Sharma (Intern)

For any query or feedback, please feel free to get in touch with tanmay.banthia@amlegals.com or mridusha.guha@amlegals.com