Big Tech raises compliance challenges in data privacy law

A grouping of tech giants, including Meta, Google, Apple, and Microsoft has sought more time for businesses to adhere to provisions under India’s privacy regulations.

Businesses will face major challenges as implementing certain clauses under India’s Digital Personal Data Protection (DPDP) Act will require significant structural changes, the Asia Internet Coalition (AIC) said in a letter addressed to the government.

The DPDP Act, which became a law on 11 August, seeks to regulate the collection, storage, processing, and transfer of personal data, while restricting cross-border data processing in certain countries.

The new law mandates the erasure of user data in specific cases, which will require substantial changes to technology platforms, the AIC letter noted.

Unlike India’s DPDP Act, similar laws in other regions, like the European Union’s General Data Protection Regulation (GDPR), don’t demand such deletions.

To be sure, minister of state for electronics and information technology Rajeev Chandrasekhar said last month that startups, small businesses, and hospitals will likely get more time to adhere to the rules, while adding that rules for the Act would be announced soon.

“The government is open to considering valid arguments for extending the compliance period when accompanied by compelling reasons,” Chandrasekhar said at recent event organized by the ministry of electronics and information technology.

The letter comes even as industry and legal experts said the Act will require organizations to revisit their existing information technology policies and processes.

Jyotsna Jayaram, Partner in the Technology Practice at Trilegal, said that some details of the Act are still being finalized, including those on international data transfers, obtaining appropriate consent for data use, procedures following a data breach.

Vikram Venkateswaran, a risk advisory partner at Deloitte India, said the new law marks a significant step in India’s digital evolution. “This is the first such regulation aimed at protecting Indian citizens’ privacy and will serve as a foundation for data-based growth in the nation,” Venkateswaran said.

Effective compliance would require a top-down communication strategy coupled with a bottom-up implementation, with organizational culture playing a key role in achieving privacy goals,” Venkateswaran added.

Financial services conundrum

Meanwhile, a section of analysts has sounded the alarm about the law’s consequences for the financial services sector. These companies depend on consumer data for various assessments such as creditworthiness, insurance underwriting, and fraud detection.

If the DPDP Act is enforced, the banking, financial services, and insurance (BFSI) sector will need to modify their data collection practices and secure client consent, potentially impacting risk evaluation methods and the pricing of products, said analysts.

Deloitte’s Venkateswaran highlighted several critical steps that organizations must consider. “Companies need a comprehensive assessment and strategy that includes developing a privacy framework, discovering data, evaluating data sources, reviewing current statements, and charting a course forward,” he said.

Venkateswaran also stressed the importance of creating a privacy-centric organizational structure, detailing roles and tasks, managing notifications and consents, raising awareness, labeling and annotating data, classifying it, and establishing crucial performance indicators for oversight. At the operational stage, he pointed out that firms must focus on policy and procedure deployment, educational programs for awareness, and communication of performance metrics.

Regulatory watchdog looms

The law lays the legal groundwork for the creation of the Data Protection Board (DPB), a regulatory body. The DPB has the authority to enforce the Act’s stipulations, including the imposition of both financial and non-financial sanctions for violations. Fines for major breaches could go as high as ₹250 crore (about $30 million).

Talking about industry concerns and expectations from the DPB, Jayaram said the existing version of the Act is unclear on how the DPB will decide the size of fines for major violations.

“We’ll need to monitor the situation to gauge the risks associated with enforcement, especially considering that the DPB will be India’s inaugural authority for data protection,” she told said.

AI’s legal maze

As AI applications proliferate across industries, with companies often relying on third-party data to build their models, the application of DPDP regulations to these enterprises becomes an intriguing question.

“The DPDP Act remains neutral about the technology used for personal data processing. Companies deploying AI for business operations will need to scrutinize how the Act applies to them based on factors such as the nature of third-party data used in training AI systems, and then comply accordingly,” Jayaram said.

Venkateswaran said that, for AI, especially generative AI, the focus should be on properly managing training and test data. “This calls for a robust mechanism to label, annotate, and classify data, as well as to eliminate any biases present in existing data sets, and trace their origins for clarification on data collection intentions.”

He emphasized that while these steps are crucial, it’s equally important for organizations to sustain their cybersecurity safeguards and extend existing cyber controls to these emerging technologies.