23 October 2024
Read More3 October 2024
Read More26 September 2024
Read MoreWe are a family of strong 800+ people including 470+ professionals working from 14 locations across India.
We have a rich heritage and enduring legacy which are pivotal in shaping trust, excellence, and unparalleled legal expertise, thus building a strong reputation and a trusted brand.
Read MoreWe started in 1985 in a single room set up by the two founders with no prior experience of working in a law firm. Both the founders had outstanding academic records and focused on their deep understanding of the law to form the foundation of the firm.
Integrity, Knowledge and Passion are the principles that resonate with every member of our LKS family and the work that we do. These values drive us to build a community of legally sound professionals and well-serviced clients.
Everything we have accomplished over the last four decades is a result of our unique way of thinking which is deeply influenced by our core values and principles that define us.
Read MoreWe and our professionals consistently garner appreciation for the quality of our services and the depth of our legal expertise. This consistent acknowledgment serves as a testament to our unwavering commitment to exceed expectations.
11 August 2023
The Lok Sabha[1] and Rajya Sabha[2] passed the Digital Personal Data Protection Bill, 2023 (the “Bill”) marking the dawn of the Data Protection Law in India, which currently awaits Presidential assent. It seeks to replace the data protection architecture under the existing Information Technology Act, 2000 and rules thereunder, and affirms the right to privacy affirmed by the Supreme Court in Puttaswamy[3].
The Bill proposes a comprehensive framework for data protection in India, while recognizing the right to privacy of individuals to whom personal data relates (referred to as “Data Principals”). Such personal data may be processed by entities which determine means and purposes of processing (referred to as “Data Fiduciaries” or “Fiduciaries”) and entities such as contractors, service providers, who may process personal data on behalf of such Data Fiduciaries (referred to as “Data Processors” or “Processors”).
The Bill also proposes the establishment of a regulator viz. the Data Protection Board (the “Board”), consisting of a chairperson and such other members as may be notified, who would be appointed by the Central Government, with at least one law expert. The Board is expected to play an adjudicatory role, as opposed to being a comprehensive sectoral regulator.
While a sizeable portion of the provisions and clarity on obligations would be on the next wish list, entities complying with existing law[4] may need to reimagine data handling practices at every stage of the data life-cycle, up until deletion, as per the provisions of the Bill. Here we discuss some of the core requirements which are to be met by the newly recognized Data Fiduciaries in India.
At the outset, entities must assess the applicability of the Bill to processing activities undertaken by them. This may involve assessing ‘territorial’ applicability and examining exemptions on ‘subject-matter’.
Territorial Applicability: The Bill states while that all processing undertaken within India will be applicable to the Bill, processing outside India will also invite applicability, if the Fiduciary undertakes processing in relation to an activity related to offering of goods or services to Indian residents.[5] Therefore, entities engaged in offering goods or services to Indian residents would still have to comply with the Bill, regardless of whether or not they may be established, having a corporate entity or undertake processing within India.
Thus, while entities which undertake processing of personal data in India will regardless be subject to provisions of the Bill, those undertaking processing outside India may also be required to comply, if such processing is in connection with offering of goods or services to Data Principals resident in India.
Subject Matter Applicability: The Bill provides exceptions to applicability in specific situations such as when personal data is processed for personal or domestic purpose or in cases where such personal data is publicly available, on account of the Data Principal publishing it (herself) or any other entity publishing it pursuant to a legal obligation.
Entities must undertake discovery and mapping of inward and outward data flows to comprehensively understand personal data processed by them. This may be helpful in assessing applicability and extent of compliance, such as in:
Data discovery and mapping is a critical step to be undertaken, by organizations to have complete visibility over personal data being processed. Maintaining accurate and updated inventories of data through periodic exercises may enable entities to avoid consequences of discovering data which has not been secured subsequently, as has been seen in the case of Eatigo International[10] (Singapore).
The Data Fiduciaries may, as soon as reasonably practicable, be required to take steps to provide a notice to existing Data Principals. Since the continuing of processing of personal data by Fiduciaries would be contingent on the withdrawal of consent by Data Principals, Fiduciaries must implement mechanisms which permit the Data Principals to withdraw consent, should they choose to do so.
The Bill provides for many other obligations which are likely to be crystallized once the rules are formally made available by the Central Government. This will further expand the breadth of the compliance obligations under the Bill.
[The authors are Executive Partner and Senior Associate in Data Protection and TMT practice of Lakshmikumaran & Sridharan Attorneys at New Delhi and Hyderabad, respectively]