Data Protection Newsletter (September, Issue II)

September 30, 2024

Nachiketa Singh

Founders Office

Summary

  • NCPCR Asks Social Media Platforms to Explore Ways to Protect Children's Data
  • DPDP to Offer Consent Framework instead of Rules
  • ITIC Urges Indian Government to Balance Privacy & AI Innovation
  • Study Reveals Over 60% India Follow Problematic Data Practices
  • Firm’s Across Sectors Seeking Legal Guidance Regarding their Use of Generative Intelligence
  • Far and Wide: The Applicability of DPDP Act
  • How will the DPDP Act Impact the Indian BFSI Sector?
  • Define Data Collection and Retention Policies
  • Provide for User Rights

Headlines

NCPCR Asks Social Media Platforms to Explore Ways to Protect Children's Data

The National Commission for Protection of Child Rights (NCPCR) met with major social media platforms to discuss child safety online. Key issues discussed included mechanisms for age verification, tools for identifying and blocking Child Sexual Abuse Material (CSAM), support for law enforcement agencies, and parameters for reporting cases to the National Center for Missing and Exploited Children (NCMEC). The commision called for mandatory Know Your Customer (KYC) procedures to verify user identity on platforms and mandatory reporting of CSAM under the Protection of Children from Sexual Offences (POCSO) Act, 2012. The Commission also stressed the importance of parental consent for minors entering contracts on social media platforms and the need for clear disclaimers warning parents about adult content.

Source: Economic Times

DPDP to Offer Consent Framework instead of Rules

Rules under the Digital Personal Data Protection (DPDP) Act may prescribe an umbrella framework for companies on consent management instead of issuing exact rules. The rules are also likely to prescribe the use of a government-issued identity card-based age and consent management verification for now while leaving the scope for companies to develop their in-house age-verification systems, they said. The provisions of the DPDP Act, 2023 state that all users below the age of 18 will be considered children. Such users must obtain verifiable parental consent for using social media and a host of other services provided by internet intermediaries, as per the provisions. The rules may provide certain exemptions to schools, colleges and universities on processing and obtaining parental consent for children’s data; they are unlikely to extend the benefits of the provision to ed-tech companies. 

Source: Economic Times

ITIC Urges Indian Government to Balance Privacy & AI Innovation

Global tech body Information Technology Industry Council (ITIC) has urged the Indian government to strike a balance between individual privacy and innovation in the country's yet to be notified rules under the Digital Personal Data Protection (DPDP) Act. ITIC, which represents 80 technology firms including giants like Apple, Amazon, Google, Dell, and Microsoft, also recommends the use of aggregated sensitive personal data to foster artificial intelligence (AI) driven innovation in India. Members of the ITIC, are also concerned about the timelines that would be prescribed for compliance to the Act once the rules are out. The tech body has asked the Ministry of Electronics and IT for an 18-24 month-long time period for complying with the legislation, citing global practices. 

Source: Business Standard

Analysis

Study Reveals Over 60% India Follow Problematic Data Practices

In a recent survey conducted jointly by CII and Protiviti, 61 per cent of the respondents felt that companies in India were taking part in activities such as excessive data collection and secondary processing without consent, which are not in line with the DPDP Act. According to the report, around 82 per cent of the mid, senior, and entry-level employees who participated also said that they perceived companies in India to be less transparent or not transparent at all about the use, processing, and sharing of personal data. On data breaches, the study found that more than half of the organizations (52 per cent) were victims of a data breach in the last five years. Among key concerns, consent and data principal access request management, visibility of personal data, data retention and disposal, breach response, and cross-border transfer of data were some of the main issues that participants identified. The report also highlighted that large organisations (above Rs 1,000 crore in revenues) were investing more in privacy setups than smaller ones with below Rs 1,000 crore revenues. Indian Businesses should invest in solutions like Leegality Consent Manager to effectively solve DPDP compliances.

Source: Business Standard

Firm’s Across Sectors Seeking Legal Guidance Regarding their Use of Generative Intelligence


Firms across sectors including IT, banking, and cloud storage are seeking legal guidance due to concerns that their use of generative artificial intelligence (GenAI) may not comply with data protection laws. Many companies are building proprietary GenAI models without enough transparency about the use of personal data being processed for training purposes. This goes against the principles of lawful consent, fairness and transparency as prescribed in the Digital Personal Data Protection (DPDP) Act. Companies are consulting with lawyers on issues such as how to define the scope of their privacy policies to seek appropriate user consent, the kind of contractual obligations needed for data processors while offering AI-as-a-service and the global laws and regulations that apply to multinational data exchange. Experts believe that doors must not be shut on large language models (LLMs) for fear of future legal setbacks.

Source: Economic Times

Insight

Far and Wide: The Applicability of DPDP Act

Read our blog about the applicability of the DPDP Act. The DPDP Act applies to digital personal data, defining 'Data Principles' and 'Data Fiduciaries' with specific rights and obligations. It covers data processed within India and, in some cases, outside. Certain scenarios, such as employment processes and state functions, are exempt. Full enforcement awaits the release of DPDP Rules and the establishment of the Data Protection Board.

Read the Full Article

How will the DPDP Act Impact the Indian BFSI Sector?

Read our blog to understand the compliance obligations under the DPDP Act for the Indian BFSI Sector. India's new data protection law mandates explicit consent for personal data use. BFSIs must prepare to balance the obligations of multiple regulators, including RBI, SEBI, and IRDAI, alongside the new data protection requirements. Failure to comply can bring heavy fines up to 250 Crore Rupees. Integrating Consent Managers, overhauling data practices, and staying agile in the face of evolving data governance laws are now critical moves for every BFSI player.

Read the Full Article

Compliance Tip

Define Data Collection and Retention Policies

Indian businesses are advised to craft policies that do more than compliance. The practices should enhance your data governance, fostering trust and transparency. Policies should clearly lay down the details on data collection, PI retention and data modification requests. 

Provide for End-User Rights

Indian businesses should equip robust mechanisms to honor user rights requests effortlessly. They should provide users the option to edit, modify and delete their personal data post retention periods.

Explore Leegality Consent Manager

Discover how our Leegality Consent Manager can streamline your data protection processes and ensure compliance with the DPDP Act. Our Consent Manager offers:

  • Compliant consent notices across all customer touchpoints
  • Storage of verifiable and auditable records of each consent
  • Dashboard for customers to change consent preferences and exercise data rights
  • Oversight over the data practices of your third parties

Explore Leegality Consent Manager for Your Business

Sign up for a demo and early trial access

Customized Demo for every use case
Deep dive into your unique needs and compliance challenges
Free access to testing account
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.