含羞草社区

The Digital Personal Data Protection Act, 2023 (DPDPA), has attracted significant attention from Indian and global businesses during the past two years. This has been so even though the legislation is not yet in force.

Companies have begun taking steps to achieve compliance and are changing the way they operate their business to fall in line with the act’s requirements. Although the government has indicated that it will give businesses sufficient time to put necessary compliance measures in place before the implementation of the law, a proactive approach towards compliance should be undertaken. This is because most companies will have to overhaul their internal processes substantially.

The DPDPA applies in addition to other sector-specific regulations. Compliance plans should, therefore, take into account data protection and cybersecurity requirements under other laws to ensure conformity with overlapping provisions. The Aadhaar (Targeted Delivery of Financial and Other Subsidies, Benefits and Services) Act, 2016, and the rules and regulations enacted under it (Aadhaar laws) is an important, but often overlooked piece of legislation that prescribes specific data protection-related obligations.

Aadhaar is a unique personal identification system available to any resident in India. Aadhaar-related data are processed by most businesses to verify the identity of customers or to carry out employment-related filing and payments. The Aadhaar laws impose transparency, consent and security-related obligations on private businesses that collect and process Aadhaar data. Accordingly, a holistic approach towards compliance should be adopted to fulfil overlapping obligations under the DPDPA and the Aadhaar laws.

Consent standards under the Aadhaar laws are strict. They require businesses to inform individuals of the specific purposes for which the data will be processed. Individuals must also be made aware that failing to supply Aadhaar data will not prevent them from using the services of the company. These requirements are in addition to those in the DPDPA. Although an Aadhaar-related processing activity may qualify as a legitimate use of data under the DPDPA, such as for employment-related purposes, requirements for consent under the Aadhaar laws will continue to apply. Employee and customer onboarding journeys must incorporate these consent requirements in circumstances where Aadhaar data is sought with other personal information.

The Unique Identification Authority of India (UIDAI), the regulatory authority for the Aadhaar laws, has also required businesses that process Aadhaar data to notify individuals in their local language of relevant processing activities and the purposes for which the Aadhaar data is processed.

Similarly, businesses will also have to meet the additional security requirements under the Aadhaar laws. One such requirement is the necessity to mask the first eight digits of the 12-digit Aadhaar number prior to processing. This is a cumbersome requirement for companies that keep physical or scanned copies of Aadhaar cards on record.

To avoid the need to implement internal security measures, companies have started to inform individuals that they should submit only a masked version of their Aadhaar card. This may be done by downloading a copy from the UIDAI’s website.

Obligations to report breaches have also been imposed on businesses under the Aadhaar laws. Should a breach of personal data protection occur, companies must identify whether the breach has affected Aadhaar-related data. This may require a report to be filed with the UIDAI. Such obligations are in addition to having to report the incident to the Data Protection Board and, under existing cybersecurity laws, to the Computer Emergency Report Team, or CERT-In.

To avoid these additional obligations, many companies have started purging Aadhaar data from their internal servers and are relying on alternative identification methods that do not attract regulatory scrutiny. However, if Aadhaar data collection is essential to their operations, businesses should factor in the requirements under the Aadhaar laws. Because the introduction of the DPDPA will force all companies to re-examine their internal processes and documentation, it may be an apposite time to programme Aadhaar law compliance into their planning and operations schedules.

Ada Shaharbanu is a senior associate and Vishnu Naduvakkad is an associate at Spice Route Legal