Pallavi: Are you curious about the impact of the Digital Personal Data Protection (DPDP) Act on Over The Top OTT platforms? Then this podcast is for you. Hi, I am Pallavi Janakiraman, your host and welcome to the final episode of ‘Gateway to data privacy and protection' special series by EY India Insights Podcast. We are joined by Mini Gupta, Cybersecurity Consulting Partner at EY India, who is currently part of the core team that is actively managing the agenda of the Digital Personal Data Protection (DPDP) Act, 2023 for EY India.
Over the last 10 years, she has been closely working on the agenda of data privacy in India and globally. Today, we will be discussing the OTT platforms’ data protection challenges, consent management, international data transfer, the role of data fiduciaries, and more. Mini, thank you for joining us for this episode.
Mini: Thanks, Pallavi. It is a pleasure to be here.
Pallavi: There are an increasing number of OTT platforms these days, particularly the smaller ones that are run by entrepreneurs who are aggregating the content. Will they have the ability to have a proper data protection officer?
Mini: Content aggregation service providers may not really deal with personal data. Their primary work is to curate and produce content and then share the same with OTT providers to show the content on their platform. If there is no involvement of personal data, then there may not be a need to have a data protection officer at all. In fact, the Act clearly says that it is in the case of significant data fiduciaries that one will need to appoint a data protection officer.
A significant data fiduciary would be notified based on certain criteria, such as volume, sensitivity of the personal data involved, the risks associated with the processing of personal data and several other conditions. If you look at it from a content aggregation point of view, it is unlikely that they (content aggregators) would fall in the category of significant data fiduciary even if there is some personal data with which they may interact with. Hence, they may not really need to officially appoint a data protection officer who is based in India.
Pallavi: How does the concept of data processor work with OTT and what would be the obligations of the data processor?
Mini: In the case of OTT companies, data processors would be the service providers who are processing personal data on behalf of the OTT service provider. For example, if an OTT service provider relies heavily on personalization, recommendations, and advertisements on other service providers, then such service providers would become the data processors. For example, to perform any data analytics, if an OTT service provider engages with another party, then that analytics services company becomes the data processor.
If you look at the Act, all the obligations are really on the data fiduciary. In this case, the obligations are on the OTT companies and not really on the data processors. Hence, the data processors will purely be governed by the contractual clauses that they sign with the OTT companies, and this is in the interest of OTT companies because they would be liable for all the penalties in case of any noncompliance. It ensures that the clauses with the data processors also cover similar obligations, such that the data processor deals with the personal data in as much seriousness and with as much diligence as a typical OTT company would have done.
So, there are no direct obligations under the Act but they will be governed by contractual clauses, which the OTT companies will have to ensure are watertight.
Pallavi: Thank you for those insights. Many OTTs operate globally and utilize the data to personalize offerings to their customers, both domestically and abroad. How will they deal with the clause prohibiting personal data from being transferred abroad, given that the analytical engines may well need the data to come up with the correct matches?
Mini: Many service providers who provide personalization services are setting up their services in local regions due to data protection regulations. While the service provider may be from the EU or the US, their services may be set up in India, where personal data is being processed to provide personalized recommendations and hence there is no personal data transfer.
But even in cases where there is persistent data transfer, the Act allows for transfer of personal data outside the territory of India, provided that country is not in the notified list of the central government, where such transfers are prohibited. In case of international service providers where processing is taking place outside India, as long as it is not situated in any country which is a part of our negative list of, transfer of data is not an issue.
Pallavi: Now, emphasizing on the data fiduciary concept, we noted that a lot of OTTs predominately rely on telcos. Who is the data fiduciary in this case and what are the relative responsibilities of each?
Mini: In this scenario, both operate as individual data fiduciaries as both process the personal data for their own purposes and both, in some cases, would be taking certain personal data elements that they would need for their services. In a way, they (telcos and OTTs) are the ones who are collecting data as well as deciding the means and purpose of the personal data that they are collecting or in some cases, they may be receiving from the other party.
There may be some personal data like mobile number or email address, which is commonly used by both OTT and telcos. In that case, they can be both data fiduciaries. Typically, in regulations such as GDPR it is referred to as joint data fiduciary. Under Indian DPDP Act, they would be termed as data fiduciaries, where common personal data is being processed by both the parties. However, both are identifying the means and purpose of their own respective uses. Hence, obligations of data fiduciary will be applicable to both of them.
Even if they have associations with any other parties, as long as they are defining the means and purpose of the personal data that the processing, such entities will act as data fiduciaries and the relative obligations of data fiduciary in terms of protecting the data, ensuring that the right notice is provided and consent is taken, ensuring that in case of any data breaches, the notifications are provided to the Data Protection Board as well as the individual – all the data fiduciary obligations would be applicable to the OTT as well as the telecom service providers.
Pallavi: Thank you, Mini. Adding to that previous question, we see that there are provisions for or fines on the data fiduciary who fail to protect the data or misuses it. How does that help someone whose data is being misused?
Mini: There is no explicit provision in the Act that mentions compensation or help for someone whose data has been misused or compensation for data principal. In fact, it is not really a practice that is followed across most global regulations as well. However, it is up to the Data Protection Board, which is expected to be set up soon, to decide if they would want to compensate the data principal in addition to the penalty that they would impose on the data fiduciary.
However, there are significant fines and penalties that are applicable to a data fiduciary in case of any instance of data misuse or any violation to the Act, which ideally should act as a deterrent to misuse the data in the first place. So, no direct compensation, but still deterrents are available such that the data misuse is avoided in the first case.
Pallavi: Law is the first step. What institutional capacity is being built to ensure the law is being implemented? In case of a data breach that harms the data principal, will there be a separate agency to take it further or will it be going to the normal police channels?
Mini: There are provisions around grievances; there are provisions to take matters across various escalation levels. So, as a data principal, or if someone comes to know of a breach or any harm that is caused to a data principal, they can first take it to the data fiduciary and request for clarification and more details. If they are not satisfied with what the data fiduciary’s response, the data principal has the provision to go to the Data Protection Board. In fact, if the principal is not satisfied with the Data Protection Board’s response as well, there is a provision to go further to Telecom Disputes Settlement & Appellate Tribunal (TDSAT). A natural progression from TDSAT eventually is a possibility of approaching the Honorable Supreme Court as well. So, there are multiple levels of escalation that have been provided that can be leveraged in case of any harm to a data principal.
Further, if you look at the overall capacity of monitoring, the data fiduciary is classified as a significant data fiduciary (data fiduciary dealing with a large volume of personal data, sensitive personal data or the risks associated with the processing would be high), then they will also need to undergo periodic audits. They will need to appoint an independent data auditor. And all of this, in fact, is a way of ensuring that there is some monitoring capability and capacity built on top of what a data fiduciary is doing. All of this put together does act as means and provisions to help in case of any harm or potential harm that could be caused to a data principal.
Pallavi: Journalists in media houses deal with a lot of personal data of various data principals — from news consumption, interviews, article publishing, and movie reviews. Would media houses and journalists need to obtain consent prior to possessing their personal data?
Mini: Unlike General Data Protection Regulation (GDPR) and most global data protection regulations where journalistic purposes and public interest are exempted, in the Indian DPDPA, there is no exemption provided for journalistic purposes and public interest, and hence we will have to wait for the rules to see if there would be any exemptions that would be coming up. In fact, the ministry is seeking consultations on the subject of any exemptions and the justifications for the same.
We may be looking forward to some exemptions for journalistic purpose. Else, under what we see as per the current version of the Act, we will have to rely on consent, which may practically be difficult and extremely onerous as well. Additionally, the Press Act of India may also come to light where it allows processing of data for journalistic purpose. So, while there is a no provision, from DPDPA perspective, we would need to look at the Press Act of India and see if the same can be done.
Pallavi: Thank you for joining us and sharing all these valuable inputs on how the DPDP Act has impacted the OTT sector.
Mini: Thank you.
Pallavi: On that note, we come to end of this episode, make sure to hit subscribe on the preferred platform if you haven't already so you can get notified about our next series of podcast. Thanks for listening in. Until next time. This is Pallavi, signing off.