India’s new data protection statute signifies a call to action for the telecom industry

2023 has been a defining year in the telecom law and policy sphere in India, with multiple rounds of stakeholder consultation seeing to the passing of the draft Indian Telecommunication Bill, 2022, the exclusion of OTT players from the ambit thereof – and in a more recent development, their proposed regulation under the ambitious new Broadcasting Services (Regulation) Bill, 2023. However, amongst the slew of new legislation notified and enacted in India this year, arguably the most significant perhaps has been the enactment of Digital Personal Data Protection Act, 2023 (“DPDPA”).

India enacted the DPDPA on August 11, 2023, following years of deliberation and legislative review. To add perspective, this monumental legislation has (actively) been in the making since at least 2018 when, following the Supreme Court’s recognition of the right to privacy as a fundamental right, a judicial committee was constituted to develop a comprehensive data protection framework for the country.

The DPDPA is monumental since it represents India’s first ever bid at implementing a comprehensive data protection framework in the country. With its enactment, India joins the rank of other leading jurisdictions at regulating the processing of its citizens data – both in and outside India.

To this end, the provisions of the DPDPA have broad scope and (extra territorial) application: The statute regulates any personal data collected in digital form as well as in non-digital form (if subsequently digitized) and processed for commercial purposes. In this regard, it identifies and assigns wide-ranging obligations and duties to both the primary party collecting and processing the data (the “Data Fiduciary”) as well as any secondary party to which it transfers or discloses such data for processing for any relative purposes (the “Data Processor”) – thereby making data protection a shared responsibility upon each party controlling or handling data. In furtherance, the statute assigns unequivocal rights to the individual providers of such data in India (the “Data Principals”) – both adults and children (i.e. minors under 18 years of age).

The DPDPA thus marks a stark departure from Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules 2011 (“Rules”) framed subordinate to the Indian Information Technology Act, 2000. These Rules – along with certain sectoral regulations (issued by the Reserve Bank of India and other regulators) – constituted India’s predominant data protection framework prior to the passage of the DPDPA. Unlike the DPDPA, the Rules prescribe obligations for only ‘body corporates’ engaged in directly collecting personal information (including ‘sensitive personal information or data’) in digital form from individuals in India, while exempting other persons collecting, storing, or handling SPDI on behalf of said body corporate from statutory purview.

For the time being, the Rules continue to be (tentatively) in force. This is since while the DPDPA has been notified, its provisions remain to be enforced at present. The Government has announced its intention to implement the statute in a phased manner – and to frame and issue rules under the statute for elaborating and clarifying the compliances and obligations set out thereunder (which remain forthcoming). Once the the DPDPA (and rules framed thereunder) are implemented, the Rules will be repealed – although sectoral regulations will continue to be applicable upon relevant stakeholders.

The implementation of the DPDPA will result in far reaching consequences for stakeholders across diverse sectors and industries. Due to the vast amounts of consumer data handled and processed by telecom operators and entities (across borders) owing to the nature of their services, telecos and their business partners alike will particularly need to be mindful of the heeding the compliances thereunder.

Notably, the above could be challenging for stakeholders operating domestically, who are accustomed to the narrow focus of the Rules (i.e. restricted to the entity collecting data rather than the entities handling it). In practice, the Rules are non-uniformly interpreted and implemented within the industry in India – oft leading to use of vague privacy provisions and unclear security standards mechanism and practices. Obtaining a one-time bundle of consents from a consumer registering for services, for instance, is common practice.

In contrast, the DPDPA mandates consent as the fundamental grounds for processing personal data. It grants the consumer right to withdraw such consent or to seek erasure, correction or updation of their data. In practice, per the DPDPA, each entity seeking or handling such data will be required to adopt and implement appropriate practices and mechanisms to: obtain express informed, decisive and specific consent from consumers, accommodate data requests from the consumer or the statutorily appointed Consent Manager, store, retain and handle the data subject to the timelines and prescriptions notified by the Government etc – while parallelly ensuring that each party/Data Processor to whom they pass on such data fulfils its obligations under the statute in turn.

The above being said, the implementation of the DPDPA will also not be straightforward for stakeholders operating internationally, who may have already implemented data protection mechanisms compliant with other existing international data protection laws such as the European General Data Protection Regulation (GDPR). While the DPDPA undeniably shares certain facets of its framework with other major data protection legislations, it possesses a unique framework and compliance thereunder will have to be navigated carefully specific to the Indian legal landscape.

Illustratively, the statute requires ‘verifiable’ parental consent to be obtained for the purpose of collection of personal data of minors, prohibits advertising targeted towards minors etc. International and domestic telecom entities alike will thus need to implement appropriate age verification and age restriction mechanisms in India to ensure compliance with this provision is possible. Further, stakeholders will need to ensure that cross-border transfers of data don’t take place to any jurisdictions barred under the statute by the Government.

In light of the above, the present interlude between the notification of the DPDPA and the active enforcement of its provisions presents an ideal opportunity for stakeholders to acquaint themselves with the statute and commence building (or revising) their data protections mechanism and policies in conformity with the same – especially larger stakeholders which process significant amounts of data and could be assigned additional obligations under the statue (if identified as “Significant Data Fiduciaries”).

The above will ensure stakeholders are prepared ahead of the Government’s announcement of the timeline for compliance under the DPDPA. While stakeholders in the industry have previously sought a 2-year timeline to enforce compliance under the statute, recent news reports indicate that the industry may only receive a 6-month timeline for this purpose.