data protection - Treelife

For: B2B SaaS businesses

The Digital Personal Data Protection Act, 2023 (“Act”) is intended to safeguard and protect digital personal data, and (inter alia) govern the manner in which it can be collected, stored, processed, transferred, and erased. The Act imposes requirements on data fiduciaries/collectors and data processors, as well as certain duties on the data subject/individual with respect to personal data.

“Personal Data” under the Act includes any digital or digitized data about an individual (including any data which can be used to identify an individual). This excludes any non-digital data, or any data which cannot be used to identify an individual in any manner (including in concert with any other data).

This document is intended to provide a summary of the obligations of B2B-based SaaS business, which arise from the Act.

An Overview

The key obligations of businesses towards complying with the Act include:

Identify the extent of Personal Data collection, storage and processing which your business undertakes, and how much is necessary.

Prepare notices for procuring consents from individuals whose Personal Data you collect, store, and process (including those individuals whose Personal Data has already been collected and/or is being stored or processed), specifying:

Type/s of Personal Data you will use;
The specific purpose/s you will use it for;
The manner in which they can withdraw consent or raise grievances; and
The manner in which they can make a complaint to the Data Protection Board of India.

Maintain a record of consents procured and provide the following rights:

Right to request for (i) summary of their Personal Data being used; and (ii) identities of parties to whom their Personal Data has been transferred;
Right to correct, update and/or delete Personal Data (unless required to be retained for compliance with law);
Right to redressal for grievances and complaints;
Right to nominate another individual to exercise their rights (in the event of death or incapacity)

Action Items

While B2B SaaS platforms have limited Personal Data collection, Personal Data can still be collected and processed in case of user accounts for individuals/employees/representatives of enterprise customers. Businesses can take the following actions towards compliance with the Act:

Data audit: Carry out an internal data audit, including identifying Personal Data collection, storage and processing requirements;

Limit Personal Data usage: Erase or anonymize Personal Data to the extent feasible to reduce the compliance and associated risks, or limit the Personal Data points which are collected;

Update your product to enable privacy rights: Businesses should therefore make available on the SaaS tool / platform functionalities to:

Issue notices for procuring consent for Personal Data collection, storage and processing prior to any such collection, storage or processing. These notices can be worded in simple and clear terms so as to enable individuals to know their rights, and should include language which clearly states that consent is provided for collection, storage, and processing (including processing by third-parties); specify the purpose/s for the type or types of processing. For example – in case the processing will be done for purposes A, B and C, consent will have to procured specific for each of A, B and C; mention that consent can be withdrawn
Request modification, correction, updating, or erasure of Personal Data. Other than any Personal Data which is necessary for providing the services (for example, corporate email IDs), all Personal Data should be subject to modification or erasure pursuant to withdrawal of consent.

Appoint person/s who can handle complaints, grievances, or requests from individuals. This can be an individual assigned specifically for this task or a team responsible for ensuring speedy response.

Implement technical measures to protect against and mitigate data breaches and their consequences. The Act requires fiduciaries/collectors to “take reasonable security safeguards to prevent personal data breach”, which can include cloud monitoring, penetration testing, ISO certification, etc., depending on the sensitivity and extent of Personal Data.

India’s Growth Brings Data Privacy and Protection into Focus: Understanding the Current Data Protection and Privacy Laws in India

India has rapidly grown in technology and economy, but this growth has also brought up the issue of data privacy and protection. Unfortunately, India has lacked any substantive legislative framework focusing primarily on data privacy and protection privacy laws in India. However, the government has formed a committee of experts to draft a data protection bill. The first bill in 2006 was based on the European data privacy directive, highlighting the need for stronger laws like the data protection laws in Europe.

Current Legislative Safeguards: IT Act and IT Rules

Data protection safeguards in India are mainly provided by the Information Technology (IT) Act, 2000, and IT Rules, which constitute inter-alia, the data privacy laws in India. These regulations provide the basic legislative safeguards for data security, privacy, and protection in India. The amendment of IT Act, 2008 added Sections 43A and 72A. Section 43 and 43A deal with unauthorized access of information and leakage of sensitive personal information while the Adjudicating officer (when claim or damages amounts upto 5 crores) or competent court (where claim exceeds beyond 5 crores) appointed under the Act can handle such cases and any appeal from such order passed shall lie with the Cyber Appellate Tribunals. Section 72 deals with disclosure of information in breach of contract and punishment for it, underlining the importance of data privacy regulations in India.

Judicial Safeguards After the AADHAR Judgment: The Need for Personal Data Protection

Data protection was first recognized by the Supreme Court in 2017 in the Aadhar Judgment, emphasizing the need for stronger data privacy laws. The court demanded the enactment of a proper legislation on data protection which should conform with the right to privacy of the individual, and the Personal Data Protection Bill, 2018 was created after this judgment. However, the same has been withdrawn and a new bill – Digital Personal Data Protection Bill, 2022 (2022 Bill) has been released in November 2022 for inviting comments from public. The 2022 Bill recognizes various rights and duties of the citizen and the obligations of the Data Fiduciary to use the collected data lawfully extending to include data collected for offshore/ cross border arrangements, and lays out the penalty for contravention.

Data Protection Bill 2022: The Need for Stronger Data Protection Laws

The committee of experts headed by retired Chief Justice BN Srikrishna had drafted the Personal Data Protection Bill in 2018. However, considering the ever evolving technology and data breaches and the increasing number of citizens using and relying on digital platforms, the Ministry of Electronics and Information Technology (MeitY) withdrew the 2018 Bill and replaced it with the comprehensive 2022 Bill. The Bill also defines a child (person under the age of 18 years) and states that parents’ consent is required for data collection from a child.

In Conclusion: Balancing Data Protection and Growth

According to the Supreme Court in the Puttaswamy judgment, the right to privacy is a fundamental right. The government policy on data protection must not dissuade framing any policy for the growth of the digital economy, to the extent that it doesn’t infringe on personal data privacy. India has one of the world’s largest population and a lot of sectors are unorganised and data is easily breached. As businesses operate in a globalized world, there is also a need to follow international data protection laws. Therefore, understanding right to privacy and data protection in India is crucial as we move towards a digitalized future. The establishment of a data protection authority and regularising how data is collected and used in India will go a long way in achieving this balance between data protection and growth.

FAQ’s

Q: Can personal data be shared without permission in India?

A: In India, sharing personal data without permission is not legal. The Information Technology (IT) Act, 2000, and IT Rules, 2011, provide the basic legislative safeguards for data security, privacy, and protection in India.

Q: Is data sharing legal in India?

A: Data sharing is legal in India, but only if the consent of the individuals whose data is being shared has been obtained prior. The Digital Personal Data Protection Bill, 2022, aims to enhance data protection in India by providing a framework for securing personal data, regulating its processing, and preventing misuse.

Q: Why is data privacy important?

A: Data privacy is important because it ensures that individuals have control over their personal information and can decide who can access it, how it is used, and for what purpose. Data privacy also plays an important role in preventing identity theft, fraud, and other forms of cybercrime.

Q: What are the 7 rules of data protection?

A: The 7 rules of data protection are transparency, accountability, purpose limitation, data minimization, accuracy, storage limitation, and security. Transparency involves informing individuals how their data is used, while accountability refers to taking responsibility for processing the data. Purpose limitation means that personal data collection and processing should only be done for specific, legitimate purposes. Data minimization aims to ensure that only the minimum amount of data is collected and processed. Accuracy involves ensuring that personal data is correct and up-to-date. Storage limitation refers to the idea that personal data should only be kept for as long as necessary. Finally, security involves protecting personal data against unauthorized access, loss, or damage.

Start Up

Investor

Going Global