Privacy Notice under the Digital Personal Data Protection Act, 2023

The article discusses the concepts of Privacy Notice and Privacy Policy with reference to the Digital Personal Data Protection Act, 2023 and the Information Technology Rules, 2011.
NovoJuris Legal - Sandeep G
NovoJuris Legal - Sandeep G

As we may all have noticed, the terms - Privacy Notice and Privacy Policy are used interchangeably by multiple organizations across the world. One can witness this practice even in some of the privacy laws.

The Californian Online Privacy Protection Act, 2003 uses the term ‘Privacy Policy’ as a policy to be posted by an operator of a commercial website or online service. Similarly, the California Consumer Privacy Act, 2018 (CCPA) also uses the term ‘Privacy Policy.'

The General Data Protection Regulation, 2016 (GDPR) follows its own approach by simply stating “information” is to be provided to the data subjects. Digital Personal Data Protection Act, 2023 (DPDPA) requires ‘notice’ to be provided while obtaining the consent of the individuals (‘Data Principals’) whose data is intended to be processed by an organization.

Despite the interchangeable use of these two terms both by the legislative machinery and the businesses, the International Association of Privacy Professionals (IAPP) clearly distinguishes these two terms. Privacy Policy, according to the IAPP, is an internal document or policy that aims to provide information on data protection and handling practices to the internal stakeholders of an organization. A Privacy Policy is also otherwise known as a Data Protection Policy. Privacy Notice is an external document or statement that informs individuals and other stakeholders about the data protection and handling practices of an organization.

Difference between Privacy Notice and Privacy Policy

Both the Privacy Policy and Privacy Notice may contain information on (i) the individuals’ rights; (ii) the categories of information; and (iii) how, and for what purposes, the information is processed by an organization. Besides this similarity, there are some differences between these two documents:

  • A Privacy Policy intends to outline the internal stakeholders’ roles and responsibilities, internal processes and procedures that they should adhere to for ensuring effective data handling and security, and the consequences of non-compliance with such processes and procedures. In simple terms, a Privacy Policy may specify the obligations and/or the way the internal stakeholders can honor the organization’s commitments in the Privacy Notice.

  • A Privacy Notice is intended to ensure transparency about an organization’s data processing activities to the external stakeholders. A Privacy Notice may include information on the (i) categories of the personal data processed; (ii) source of the data; (iii) the purposes and manner of processing the data; (iv) sale and/or disclosure of such data to other recipients and their details; (v) contact information for the exercise of rights by the individuals; (vi) retention and deletion of such data; (vii) use of cookies and other tracking technologies; and (viii) such other information required under applicable data protection laws.

Privacy Policy under the Information Technology (Reasonable security practices and procedures and sensitive personal data or information) Rules, 2011 (“IT Rules”)

Until the commencement of the DPDPA, every organization, pursuant to the IT Rules, is required to publish a privacy policy providing for (i) clear and accessible statements of its practices and policies; (ii) type of personal or sensitive personal data collected; (iii) purpose of collection and usage of such information; (iv) disclosure of information including sensitive personal data or information to third-party; and (v) reasonable security practices and procedures (for example, controls aligned with those under ISO 27001).

Privacy Notice under DPDPA

DPDPA requires a Data Fiduciary’s Privacy Notice to provide information on the following [Section 5 of the DPDPA, 2023]:

(i) Categories of personal data processed by an organization;

(ii) Purposes for which the personal data is intended to be processed;

(iii) Information on the way Data Principals can raise a complaint to the Data Protection Board of India;

(iv) Information on how the Data Principal can (a) exercise their right to withdraw the consent; and (b) approach the grievance redressal mechanism concerning the exercise of their rights under the DPDPA or any act or omissions related to the performance of the Data Fiduciary’s obligations related to the processing of such Data Principal’s personal data under the DPDPA; and

(v) Contact details of the Data Protection Officer, if applicable, or any other person authorized to respond to assist the Data Principal with their questions, grievances, and rights.

In the case of legacy or historical data (example, personal data collected before the commencement of the DPDPA), an organization is expected to provide the Data Principals with the same information (as specified in the preceding paragraph) if consent is the legal basis of processing their personal data. The organization may process their personal data until they withdraw their consent to such processing.

Differences observed under the IT Rules and DPDPA

On a comparison of the privacy or consent notice requirements under the DPDPA with those under the IT Rules, it is observed that a privacy policy published pursuant to the IT Rules may not contain information on DPBI, grievance redressal, or exercise of rights of Data Principals. A Data Principal has a separate right under the DPDPA to obtain, from a Data Fiduciary, information on the recipients of the former’s personal data, including the categories of personal data disclosed to recipients.

It the absence of a mention of the Data Principals’ rights under the DPDPA in a Privacy Notice, specifying the way Data Principals may reach out to the grievance redressal mechanism of a Data Fiduciary, the notice may not fulfill the intent and/or purpose of the Privacy Notice. Thus, familiarizing the Data Principals with information on their rights via a Privacy Notice could be one of the key considerations while drafting/modifying a Privacy Notice.

Additionally, DPDPA (Section 5) does not explicitly mandate the Data Fiduciaries to provide information in the Privacy Notice on data retention, data processing locations, personal data processing to comply with legal requirements, the manner in which changes to the existing privacy notice may take place, and the use of consent managers. It is a good industry practice to include these items as additional information to ensure greater transparency about an organization’s data processing practices. Perhaps, the upcoming Rules under the DPDPA may enunciate details.

In addition to the above, DPDPA obligates the Data Fiduciary to provide an option to the Data Principals to access the Privacy Notice in English or any other regional language specified in the Eighth Schedule of the Constitution.

An organization in compliance to the DPDPA is expected to consider all the above-mentioned aspects while constructing a new or modifying the existing privacy policy to align it with the requirements under the DPDPA, 2023.

About the author: Sandeep G is an Associate at NovoJuris Legal.

Bar and Bench - Indian Legal news