After several failed attempts at putting in place a distinct data privacy law, the Indian Government finally notified the Digital Personal Data Protection Act 2023 (DPDPA) on 11th August 2023.
The following features of the law may be of particular note and importance to foreign franchisees:
- The law puts in place the power to impose serious penalties of up to USD 30 million. Accordingly, franchisors would be advised to revisit the representations, indemnity language and limitations of liability in franchise agreements.
- The law finally draws a distinction between a data controller and a data processor, with the bulk of the compliance obligations falling upon the controller. Franchised businesses would be advised to clearly identify controller-processor relationships in franchise agreements and ensuring specific representations are made regarding compliance.
- It is extraterritorial in its application and is determined by the location of the data subject whose personal data is being processed, regardless of the location of the processing that is taking place. So long as the data subject is located in India, the law will apply.
- The law calls for the establishment of a Data Protection Authority (DPA) called the Data Protection Board of India, which will be the sole body empowered to implement the law. The Government has mentioned recently that it is a priority for the DPA to be set up at the earliest in order to be able to enforce the new law, which remains ineffectual in the meantime. Furthermore, rules, which will provide procedures for the implementation of the law will also need to be put in place before the law can be enforced as intended.
- The DPDPA prescribes that consent, which is still the primary basis/justification for the processing of personal data, must be ‘freely given’. Presumably, this consent cannot be freely given in employer-employee relationships. Hence, the law now allows an employer to process employee personal data ‘legitimately’ in order to provide benefits to the employee and protect its own interests such as protection from loss or liability.
There is still a little bit of uncertainty on how the DPDPA will be enforced, including on things such as deadlines for breach notification requirements, the strictness with which the law will be enforced, and when it will fully come into force. The law has also come in for criticism for power it gives to the government to make subordinate legislation.
As with any new law, this will likely become clear over time, however it might not be feasible for franchise businesses to ignore the impact that the DPDPA will have to such later date as when it comes fully into effect.
Srijoy Das, IDI Country Expert for agency & franchising in India