Excerpt from Moneycontrol Article – Published on Aug 14, 2023

Akshay Kumar’s famous dialogue from a movie, “I do what I say, and definitely do what I don’t say,” seems fitting to describe India’s Digital Data Protection Act, which presents compliance challenges for corporates. The Act became law on August 11 after being passed by the Indian Parliament and receiving Presidential consent. One of the major challenges revolves around obtaining consent from data subjects, where the Act requires it to be “free, specific, informed, unconditional, and unambiguous.” However, the Act also allows data to be used for “certain legitimate uses,” raising questions about the overlapping conflict between consent and legitimate use.

Another area of change is the provision of “data localization.” While previous versions focused on data categorization and cross-border transfer restrictions, the current version eliminated these requirements in favor of a potential “blacklist” of unfit countries for data transfer. This may impact multinational companies’ ability to share information about Indian employees with counterparts in “blacklisted” countries.

The Act also stipulates that other Acts with higher data protection standards will take precedence over its provisions, adding complexity to cross-border data flow compliance, especially with regulations set by the Reserve Bank of India.

Regarding data subject requests, the Act requires corporations to respond to data principal (subject) inquiries, even if there are mistakes or omissions on the part of the data subject. This introduces an additional layer of responsibility for corporations.

The Act introduces the term “significant fiduciary” for controllers that require additional scrutiny. The criteria for categorization as “significant” include the “sensitivity of data,” which may confuse corporates about their classification and the necessary safeguards.

In essence, India’s Digital Data Protection Act presents intricate challenges for corporates, particularly in areas related to obtaining consent, data localization, cross-border data flow, data subject requests, and the definition of significant fiduciaries. Just as in Akshay Kumar’s movie dialogue, where things become intentionally complicated, this law’s compliance complexities might confound the corporate world.

To delve deeper into this topic, please read the full article on Moneycontrol .