4 Asian Legal Business | January-February 2025 Cover Story “Based on current guidance, the assumption is that only very large organisations who process significant volume or very sensitive categories of data will qualify as significant data fiduciaries. If this assumption is proven wrong, and a larger number of organisations have to comply with the more stringent requirements, it will be quite challenging.” — Deepa Christopher, Talwar Thakore & Associates points out. “The rules only suggest two instances – where a child self-identifies or is identified by their parent, both of which will not be viable if services are used anonymously or are on shared devices.” Cross-border data transfer Cross-border data transfers emerge as a major concern, particularly for international businesses. The rules grant the government broad powers to restrict data transfers to any country or foreign entity, potentially creating uncertainty for companies operating globally. This could significantly impact sectors reliant on cloud infrastructure and international data flows. “For businesses reliant on global cloud infrastructure, these restrictions may lead to higher costs, fragmented data architectures, and cybersecurity challenges,” Soni explains. The government’s ability to impose restrictions with limited notice creates additional operational uncertainty, especially for sectors heavily reliant on real-time international data flows, such as financial services, healthcare, and e-commerce platforms. For multinational corporations, these restrictions could necessitate a complete overhaul of existing data-sharing practices between Indian operations and global offices. The rules’ reach extends to data processed outside India if it relates to goods and services provided within India, effectively creating extraterritorial obligations. “This lack of clarity will prove especially harmful for importers, exporters and multinational companies,” Christopher notes. Impact on different businesses The framework introduces the concept of “significant data fiduciaries” (SDFs), imposing additional obligations on organisations processing substantial volumes of data. While this tiered approach aims to balance regulation with business needs, the criteria for SDF classification remain unclear, creating anxiety among mid-sized companies about their potential obligations. Christopher notes that these requirements could prove especially burdensome if the SDF classification extends beyond initially anticipated scope: “Based on current guidance, the assumption is that only very large organisations who process significant volume or very sensitive categories of data will qualify as significant data fiduciaries. If this assumption is proven wrong, and a larger number of organisations have to comply with the more stringent requirements, it will be quite challenging.” SDFs face stringent requirements, including annual data audits, impact assessments, and potential data localisation mandates. They must also ensure their algorithmic software doesn’t harm data principal rights – a vague obligation that technology companies may find particularly challenging to implement. For India’s burgeoning startup ecosystem, these requirements could pose significant challenges. While the rules attempt to differentiate obligations based on business scale, the baseline compliance requirements remain substantial. Smaller companies may struggle with the technical and financial resources needed to implement comprehensive consent management systems, multiple language support, and breach notification mechanisms. Way forward As organisations prepare to navigate this new regulatory landscape, several critical priorities demand immediate attention. They need to audit their current data processing activities, implement more granular consent mechanisms, and prepare for potential data localisation requirements. International companies must reassess their data transfer mechanisms and potentially restructure their data architectures to accommodate future restrictions. The consent manager framework, while innovative, remains untested. These entities are meant to serve as intermediaries, helping individuals manage their privacy preferences across services. However, the practical implementation of this system, including technical standards and interoperability requirements, needs further clarity. The government’s extensive powers to call for information from data fiduciaries under the DPDP Act and draft rules may also need to be reviewed. “It is likely that data fiduciaries will find this challenging to adhere to, especially in the context of the Schrems-II judgement. The surveillance powers of the government will also impact any end-to-end encryption undertaken by social media companies, such as Meta,” Christopher notes. “Data fiduciaries will now have to be careful of their data sharing practices and will need to undertake an exercise to continuously map where their data is transferred and who is given access to it,” she adds. The rules are currently open for public feedback until Feb. 18, 2025, offering a crucial window for industry input. Many hope this consultation process will lead to clarifications on key aspects, particularly around breach notification thresholds, SDF criteria, and cross-border transfer restrictions. “While companies should begin to comply with this new regime, it is likely that such compliance will be an ongoing process as further clarity is given through developing market practice and government notifications,” Christopher concludes.
RkJQdWJsaXNoZXIy MjA0NzE4Mw==