The Digital Personal Data Protection (DPDP) Act is a seismic shift in India's data protection landscape, posing both a compliance challenge and a transformative opportunity for various sectors. Industries like the BFSI, telemarketing, healthcare, and ecommerce, all heavily reliant on data, must significantly overhaul their operations to ensure compliance with this new law.
The DPDP Act provides some leeway in the form of exemptions. DPDP exemptions can be divided into three broad categories:
1. Exceptions to Consent - Situations where personal data may be processed without user consent on other grounds known as ‘legitimate uses’.
2. General Exemptions - Instances where DPDP obligations are entirely waived.
3. State Exemptions - Only applicable to government bodies and state functions.
Understanding the scope of these exceptions could significantly aid businesses in their compliance journey. In this article we unpack each exception in turn, providing practical insights to help your business navigate the complex tapestry of India's emerging data protection regime.
Exceptions to Consent
The crux of the compliance challenge is Consent. The DPDP Act sets out consent as the primary ground for processing, requiring businesses to obtain free, informed and specific consent for nearly all processing activities. Such consent must be verifiable by maintaining detailed records and users must be provided the option to withdraw their consent whenever.
However, there are exceptional grounds classified as “ legitimate uses” where user consent is not required. In the following scenarios you can collect and process personal data without grappling with the consent obligations of the DPDP Act.
- Voluntary Sharing of Personal Data:
Data Processing is permitted without consent when users (Data Principals) voluntarily provide their data to your business for a specific purpose. Your business can use such data for the specified purpose until the customer does not withdraw their consent.
For example, a customer emails an ecommerce website for support and shares their address in the email. The ecommerce business may use the email to contact the customer about the support ticket even though the customer may not have gone to the website and clicked a consent button for this. If this customer indicates that they do not wish to receive the communication anymore, the communication must stop and their email deleted.
- Employment Related Processing
The DPDP Act permits employers to process personal data without consent when it relates to employment purposes or safeguards the employer from loss or liability. This includes preventing corporate espionage, maintaining the confidentiality of trade secrets, intellectual property, classified information, and managing employee-related services or benefits. This provision is pretty broad and should cover most employment related processing by employers.
For instance, a company may need to carry out background checks, administer health insurance, employee welfare programs etc. Or a pharmaceutical company could process employee data to restrict access to a new drug formula. This may include monitoring employee interactions with this highly confidential information to prevent industrial espionage.
3. Compliance with Judicial Orders and other Legal Obligations
The Digital Personal Data Protection Act allows businesses to process personal data without getting user consent when such processing is required under a law or based on the order of a court or government body.
For instance, a bank may need to report large cash transactions to the government as part of anti-money laundering regulations. This would involve sharing specific details of these transactions without the direct consent of the clients involved. Similarly, if a company is ordered by a court to provide employee information during a lawsuit, it must comply by disclosing the required data, regardless of the employee’s consent.
4. Health Emergencies
Processing without consent is also permitted during health emergencies. These include both individual emergencies that threaten life or health, and wider public health crises like epidemics or disease outbreaks. Data processing should be limited to what is strictly necessary for the emergency at hand. This exception is to enable swift action in situations where obtaining individual consent may be impractical or delay crucial interventions.
Consider two cases - one where emergency medical staff access an unconscious individual's health records to make urgent treatment decisions, and another, during a viral outbreak, a health department collects patient data to manage the crisis. Both instances, where data is used without consent for immediate public or individual health needs, are permissible under the DPDP Act.
5. Disasters and Breakdown of Public Order
Processing personal data without consent is also permissible when it's necessary to ensure the safety and assistance of individuals during disasters or situations causing a breakdown of public order.
For instance, following a major cyclone, rescue teams use government databases to identify residents in the affected areas. They process this information to coordinate evacuation plans, deliver aid, and assist in locating missing persons. This timely and efficient data processing is key to managing the crisis and exempt from DPDP obligations.
The above exceptions apply only for a business to process personal data without consent. But the business must still comply with other DPDP rules pertaining to grievance redressal, data security, breach notifications etc.
General Exemptions
The Digital Personal Data Protection Act creates certain general exemptions which excuse you from all DPDP obligations except: the restrictions on cross border transfer, orders of the DPB and the undertaking of reasonable security safeguards to prevent breach of personal data.
- Business Process Outsourcing (BPO)
Processing personal data of individuals outside Indian territory is exempted from DPDP Act if the processing is pursuant to a contract with a foreign entity for the processing of personal data.
For instance, an Indian IT services firm provides customer support services to a U.S. e-commerce company. While assisting American customers, the Indian firm processes their names and contact details. Under the BPO exemption, the Indian company can process the US customer data without consent, provided there's a contract governing data handling.
- Corporate Restructuring and Mergers
This exemption recognizes the need for data processing during mergers, demergers and corporate amalgamations approved by a court or other authority.
Let’s say two Indian pharmaceutical companies decide to merge to enhance their market presence. The merger requires the transfer of employee data, customer records, and supplier information between the two entities. Under this exemption, the companies can process personal data as part of the merger process without individual consent of employees or customers.
- Financial Assessment on Loan Default
Another DPDP exemption pertains to assessing the financial situation, assets, and liabilities of an individual who has defaulted on loan payments to a financial institution. This exemption allows financial institutions to evaluate the creditworthiness of borrowers and manage loan defaults efficiently.
Suppose a customer has taken a personal loan from a bank and has defaulted on several monthly repayments. The bank can invoke this exemption to process the customer’s personal data. They can assess her financial situation, including her income, assets, liabilities, and credit history, to determine the best course of action such as debt recovery or restructuring.
- Enforcing Legal Rights and Judicial Processing
Businesses can process personal data without collecting user consent when it is necessary in a dispute or legal proceeding. This also extends to courts, tribunals, regulators etc.
Consider the following examples: a corporation in a trademark dispute might need to analyse personal data that demonstrates the extent of infringement. This processing can happen without consent as it is essential for enforcing the company's legal rights. Similarly, a consumer rights tribunal examining a dispute may need to access transaction records, communication logs, and other personal data relevant to the case. Since the data processing is integral to the tribunal's quasi-judicial function, it is exempted.
- Prevention and Investigation of Offences
This exemption relates to the processing of personal data for the purposes of preventing, detecting, investigating, or prosecuting violations of law. This allows organisations, particularly those in the law enforcement and regulatory sectors, to bypass the DPDP Act when it's essential for addressing legal violations.
For instance, if a company detects a cybersecurity breach that compromises user data, it can process relevant personal data to investigate the breach. This may include analysing access logs, user activities, and network traffic to identify the source and method of the breach, helping to prevent further offences and protect user data.
- Research Purposes
The Digital Personal Data Protection Act 2023 allows fiduciaries to use personal data for research, archiving, or statistical purposes without fulfilling consent and other obligations. However this is contingent on the information not being used to make decisions about specific individuals. The government may further prescribe standards for processing under this exemption. Note that this exemption also exempts the fiduciary from the obligation of maintaining reasonable security safeguards to prevent breach of personal data.
For instance, an edtech company might analyse anonymized data from its learning platform to understand study patterns and improve educational content without affecting individual student experiences. Similarly, a social media company could use aggregate user data to study content engagement trends, ensuring no specific user is targeted or affected by the analysis.
State Exemptions
It is typical of the Indian government to enact a sweeping legislation and carve wide state exceptions to the same law. This is true for the DPDP Act where exceptions to consent and other obligations are carved out for government bodies and state functions.
State Exceptions to Consent
Instrumentalities of the government can process data without consent for executing state functions including the delivery of government services, fulfilling legal obligations, or ensuring state security. Companies collaborating with government agencies may also benefit from it but the applicability must be assessed on a case to case basis.
For example the Department of Education processes student and teacher data from public schools for a survey on primary education quality. This data use, crucial for enhancing educational standards, is allowed without individual consent.
General State Exemptions
These exemptions serve essential purposes such as protecting the sovereignty and integrity of India, ensuring national security, maintaining friendly relations with foreign states, upholding public order, and preventing incitement to cognizable offences. The DPDP Act allows for data processing for research, archiving, and statistical purposes under specific conditions.
For instance, in case of a potential threat to national security, state security agencies may need to process personal data of individuals suspected of ties to the threat. This processing may involve surveillance, communication monitoring, and financial transaction tracking.
More Exemptions to be Notified
Note that the exemptions and details of the same covered above only arise out of the text of the Digital Personal Data Protection Act. The government is yet to release the DPDP Rules which will provide further clarity on the extent to which these exemptions and others may extend.
The DPDP Act further reserves the government’s power to notify exceptions in the future. The state may declare that specific rules of the Act won't apply to certain Data Fiduciaries or classes of them. This flexibility allows the government to adapt the regulations based on the size and type of data processing activities. Most notably, startups and businesses dealing with a lower volume of personal data may have different requirements than larger corporations.
Therefore, the exemptions mentioned in this article are a great starting point for shaping your compliance strategy. However, you must also look out for future updates on the DPDP Rules and government notifications further expanding or clarifying these exemptions.