Digital Personal Data Protection Act, 2023

Pallavi: Welcome back to an exciting new episode of the ‘Gateway to data privacy and protection’ special series presented by EY India Insights Podcast. I am your host Pallavi and today we have an enlightening topic on our agenda – the profound impact of the 2023 Digital Personal Data Protection (DPDP) Act on the telecom sector. Joining us once again is Mini Gupta, our Cybersecurity Consulting Partner at EY India.

She comes with an impressive career spanning over two decades in risk management, and her expertise spans diverse sectors, including Technology, Media & Entertainment, and Telecommunications (TMT), manufacturing, and financial services. She is currently actively leading EY India’s DPDP Act 2023 agenda and is also working closely on the broader data privacy agenda in India and globally. In this episode, we explore the role of data fiduciaries, cross-border data transfers, and obtaining consent for Internet of Things (IoT) services involving multiple data principals. Mini, welcome back to our podcast.

Mini Gupta: Thanks, Pallavi. A pleasure to be here.

Pallavi: Telcos today are an ecosystem play as they are partnering with other service providers such as OTTs. In such cases, is there a primary data fiduciary or multiple ones that the data principal needs to deal with?

Mini Gupta: There are multiple data fiduciaries, specifically in this scenario. For example, if I am a telecom subscriber and have provided personal data to the telco only for telecom services, then the telco becomes the data fiduciary. If this telco has a tie-up with an OTT platform provider, then the telco will obtain consent from the data principal to share their personal data with the OTT service provider for the OTT-related services.

Once the personal data is shared for leveraging OTT services, any additional data that the OTT service provider collects, such as any data required for account creation, their contact details, email IDs, etc., then the OTT service provider will become the data fiduciary for the additional data collected as they would then be deciding the means and purpose of that. Hence, in this case, both the telco as well as the OTT service provider will be data fiduciaries.

Pallavi: Thank you, Mini. The Act currently does not allow personal data to be transferred out of the country except in specific cases. Does the telco qualify among those who can transfer data outside the country, given that sometimes people travel abroad, and the telco needs a cohesive picture to be able to customize their services?

Mini Gupta: The Act allows for the transfer of personal data out of the country unless the Government of India by notification prohibits transfer to certain countries. The rules will let us know which countries are on the negative list. However, in the case of a telecom service provider, when the data principal uses roaming services, the data principal during roaming leaves the telecom provider’s network and latches onto the local telco service provider’s network.

In this case, the law of the land applies and any processing of personal data that is happening is still taking place within the home country. While the data principal might be roaming, their personal data such as call records are processed in India only within the telecom provider’s systems.

However, if you see the other way around where a roaming user comes from another country to India, then the data has to be shared back with that country’s service provider. If that country is on the list of blacklisted countries for data transfer under the DPDP Act, then such transfer will not be governed by the Act, but by the Global System for Mobile Communications Association (GSMA) Act that is agreed between all telecom companies globally for transfer of data in case of international roaming. So, when the roamer is going from here (India) to outside, it is not something that we will need to transfer data for, but when an external or a foreign individual is coming to India and roaming in India, then the GSMA Act would apply.

Pallavi: We see that there have been multiple cases of breaches reported where people have been misusing someone else’s Aadhaar data to get a mobile connection. How is it that tackled in the current Act, or will this be notified later on?

Mini Gupta: There is no specific provision for misuse of personal data provided in the Act explicitly. However, the scenario may be considered as a data breach and any data breach that occurs has to be reported to the Data Protection Board as well as to the individual whose data has been breached. If it comes to the notice of the data fiduciary that someone is trying to use the Aadhaar of someone else (basically a case of impersonation) to get the mobile connection and they are aware that the person sharing the Aadhaar is not intended recipient of the service, then they (telco) can deny the services as well as reports such breaches to the relevant authorities for impersonation.

Furthermore, the Act does provide that in case an individual is trying to impersonate, which means they are trying to violate a data principal’s duties, then there is a penalty on the data principal for an attempt of impersonation. Again, it is something that can go against the person who is trying to misuse someone else’s Aadhaar card.

Pallavi: Thank you for those insights, Mini. Most apps today ride on telecom services, which include multiple players, and their servers may lie abroad with another e-commerce player. All of these collect data from the data principal. Does this complicate matters or does the DPDP Act explicitly have provisions for all of these multiple scenarios?

Mini Gupta: The Act clearly provides definitions for data fiduciary and data processor. In the entire ecosystem of personal data processing, the data fiduciary who is the primary source for the collection of personal data, has to determine the role that each of the service providers is playing depending on the lifecycle of personal data and what data is flowing to each of them.

It is the responsibility of the data fiduciary to ensure that such data processors are adhering to the provisions of the Act. If you look at the entire Act, the entire obligation is on the data fiduciary and not on the data processors. The data processors will be governed by the contractual clauses that they sign between the fiduciary and the processors. Hence, it is important for the data fiduciary to identify all such processors as well as ensure that the relevant safeguards and clauses are put in place when engaging with data processors.

Pallavi: Adding to the topic of data misuse, there is a provision for fines for a data fiduciary who fails to protect the data or misuses it. But how does that help someone whose data is being misused?

Mini Gupta: There is no provision in the Act that mentions how to compensate or help someone whose data is being misused. Globally, it is not a widely accepted practice either, to allow the data principal to be compensated. However, it is up to the Data Protection Board which we are expecting to be set up very soon, to decide if they would like to impose a penalty on the data fiduciary and if there would be a compensation and return to the aggrieved data principals.

Further, while there is no explicit provision, the fact that there are fines imposed on the data fiduciaries acts as a deterrent to ensure that the data of an individual or data principal is not being misused.

There are deterrents, but direct compensation is something that probably will be taken on a case-by-case basis by the Data Protection Board, and a decision will be taken accordingly.

Pallavi: What is the institutional capacity being built to ensure that law is being monitored carefully, in case of a data breach that harms a data principal? Will there be a separate agency to take it further or will it be going through normal police channels?

Mini Gupta: Data fiduciaries are required to notify data breaches to the Data Protection Board as well as to the individual whose data has been breached. In case of a data breach that harms the data principal, the principal can go to the fiduciary directly and request an explanation. The principal can also take it to the Data Protection Board. In case the principal is not happy with the Data Protection Board’s response, there is a provision to take it to the Telecom Disputes Settlement and Appellate Tribunal (TDSAT) as well, and a natural progression or an escalation from the TDSAT then becomes our honorable Supreme Court. So, there are multiple levels of escalations that are provided that data principals can go through in case of a breach.

Pallavi: The Act does not talk specifically about the applicability to an Indian national or a citizen or a resident. So then in such cases, if an international traveler visits Indian territory for a day or a few hours, will the Act be applicable to the processing of personal data?

Mini Gupta: In such a scenario also, ideally the Act will become applicable, and processing will fall under the DPDPA because it talks about personal data within the Indian territory. We will have to wait for the rules, which are expected in the next few days, to see if they would differentiate between processing within the territory of India, an Indian citizen, and resident or national, as well as the duration for which the processing takes place. But for now, basis what the Act has indicated, this scenario would come under the purview of the DPDPA till we receive further clarifications.

Pallavi: If a telecom service provider is providing IoT services and these IoT services are leveraged by multiple data principals within a household then whose consent will be required to be obtained for processing of personal data? Do we need to take consent of all the data principals leveraging these IoT services that process personal data or multiple data principals?

Mini Gupta: If you look at the California Consumer Protection Act, there is a definition around the household that caters to the processing of personal data of a household. However, under DPDPA, there is no such definition provided. In such a scenario, where the processing of personal data is taking place in IoT services, the consent of the data principal who opts for these services will have to be obtained. This consent would act on behalf of everyone who is using these IoT services within the household. A privacy notice will have to be provided specifying all the purposes of processing that are taking place for these IoT services, but primarily the person who is actually taking the services will be the one providing the consent.

Pallavi: Thank you, Mini, for sharing all these insights on how the new DPDP Act impacts the telecom sector. Thank you for joining us.

Mini Gupta: Thank you.

Pallavi: On that note, we come to the end of this episode. If you would like us to explore other such topics on data security and privacy. Please do leave us some suggestions that you would like us to deep dive into. Thanks for listening in. Until next time, this is Pallavi, signing off.

CT Bureau