News and developments

IMPACT OF THE DIGITAL PERSONAL DATA PROTECTION ACT 2023 ON THE INDIAN INSURANCE SECTOR

Introduction

On 11 August 2023, India’s Central Government announced the country’s first comprehensive data protection and privacy legislation, known as the Digital Personal Data Protection Act 2023 (“DPDP Act”).

The accompanying notification clarifies that it is published for general information and the provisions of the DPDP Act shall come into force in stages as notified by the Central Government[[1]]. The Central Government is also expected to notify rules envisaged under various provisions of DPDP Act, in order for its provisions to be implemented.

Once notified, the DPDP Act will supersede the fairly limited provisions governing the existing data privacy regime in India, ie §43A and §87(2)(ob) of the Information Technology Act 2000[[2]] (“IT Act”). It would also repeal the IT (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules 2011 (“SPDI Rules”).

On the insurance regulatory front, shortly before the announcement of the DPDP Act, in April 2023, the Insurance Regulatory and Development Authority of India (“IRDAI”) also revised its earlier norms in relation to data protection and cyber security of 2017 by issuing the “Guidelines on Information and Cyber Security for Insurers” (“Cyber Security Guidelines”). These guidelines are applicable to all Insurers and insurance intermediaries. In light of the DPDP Act notification, the IRDAI formed a task force on 24 November 2023 to study the implications of the DPDP Act on the Indian insurance sector. However, as of now, there is no publicly available report from this task force.

Scope and Applicability

It is relevant to note that the scope and applicability of the DPDP Act is broader than the SPDI Rules. While the SPDI Rules provide guidance in relation to, inter alia, collection, disclosure and transfer of “sensitive personal data or information”[[3]], the DPDP Act applies to all “personal data”[[4]] and provides guidance in relation to inter alia, grounds for processing of personal data, rights and duties of a Data Principal[[5]], obligations of a Data Fiduciary[[6]], contractual requirements for engaging a Data Processor[[7]], manner of adjudication and appeal[[8]], and penalties[[9]] for non-compliance/breach of the DPDP Act’s provisions.

The DPDP Act allows for processing[[10]] of personal data within and outside the territory of India:

    1. Within the territory of India[[11]]: In the event that personal data is collected or processed digitally through websites/applications of Insurers (or by insurance intermediaries on their behalf), the provisions of the DPDP Act are applicable. This also applies if personal data is collected in non-digital form and is digitised subsequently (such as through physical proposal forms which are then digitised).
    2. Outside the territory of India[[12]]: In the event where processing of personal data is undertaken outside India, but in relation to offering goods or services to Data Principals in India, the provisions of the DPDP Act apply. As an illustration, where Insurers or insurance intermediaries on their behalf process personal data to territories outside India for reinsurance purposes, policy servicing, etc, they will be required to ensure compliance with the provisions of the DPDP Act.
    3. However, the provisions of the DPDP Act will not apply in certain situations such as where a policyholder has made his/her personal data publicly available[[13]] either by himself/herself or through any other person who is under a legal obligation to make such personal data publicly available.

Impact of the DPDP Act on the Indian Insurance Sector:

Until express guidance is issued, either by way of any circulars by the IRDAI or rules notified under the DPDP Act, our comments on the DPDP Act’s potential impact on the Indian insurance sector is outlined as follows:

    1. Processing of Personal Data: Data Fiduciaries are permitted to process personal data of a Data Principal for lawful purposes and on the grounds that: (i) a consent has been obtained from such Data Principal; or (ii) for certain legitimate uses[[14]] specified under §7 of the DPDP Act. Insurers typically share personal data for various purposes, including sending medical records of policyholders with third parties such as hospitals for fraud verification, outsourcing various tele-calling and other communications with policyholders for policy renewal or claims processing, review exercises for enhancing the general quality of customer service, preparing marketing strategies etc. From our experience, a significant portion of these does not prima facie fall within legitimate use, and thus Insurers will be required to obtain express consent from the concerned prospects/policyholders.
    2. Consent: Currently, the Cyber Security Guidelines appear to set out certain consent-related norms to ensure that the individual concerned is aware of the fact that personal information is being collected, the purpose, recipients, end-use etc before collecting personal data[[15]], which is required prior to the collection of “personally identifiable information”. The DPDP Act now explicitly outlines the conditions that must be satisfied to confirm that the consent is validly obtained for personal data processing. Given that the Cyber Security Guidelines also set out norms on consent, there may be some overlap in these requirements. However, the DPDP Act’s requirements regarding the manner of obtaining consent are more detailed, asserting that such consent should be free, specific, informed, unconditional, unambiguous, and signify an agreement through a clear affirmative action. Such a mandate is not present under the Cyber Security Guidelines. Therefore, to that extent, the language and manner in which Insurers presently seek such consent may need to be internally reviewed to ensure compliance with the new requirements.
    3. Notice: Prior to or at the moment of seeking such consent from the Data Principal for processing their personal data, the Data Fiduciary is required to issue a notice. The contents of such notice include, (i) the personal data to be processed, (ii) its intended purpose, (iii) manner in which the Data Principal can exercise their legal rights of withdrawal or register grievances, and (iv) manner of lodging a complaint to the Data Protection Board set up by the Central Government[[16]] (“Board”). In the context of the Indian insurance sector, this requirement may not be entirely novel as it seems to overlap operationally with existing requirements under the SPDI Rules[[17]] and the norms applicable for collection of “personally identifiable information” by an Insurer under the Cyber Security Guidelines[[18]]. To illustrate:
    4. Per the present SPDI Rules, body corporates are already required to maintain a privacy policy and disclose certain information (such as the type of personal or sensitive personal information collected, purpose of collection and usage of such information etc). It thus remains unclear whether the requirement of providing a notice under the DPDP Act is effectively being fulfilled by way of the existing privacy policies that body corporates already maintain (under the soon to be erstwhile SPDI Rules). Interestingly, even if the SPDI Rules are repealed, the references to maintain a privacy policy continue to be applicable to Insurers and insurance intermediaries under the Cyber Security Guidelines[[19]].
    5. In terms of implementation, the DPDP Act currently does not provide any guidance in relation to how a notice is to be provided and the other contours of this new requirement. Until rules are notified in this regard, reference may possibly be drawn from the existing practices followed under the EU General Data Protection Regulations (“GDPR”) since similar requirements are contained on notice or “privacy notice” in the GDPR[[20]].
    6. The notice is required to be in clear and plain language, and displayed in English or in either of the 22 languages as prescribed under the Indian Constitution.
    7. Data Fiduciary Obligations: A Data Fiduciary is defined as “any person who alone or in conjunction with other persons determines the purpose and means of processing of personal data”. Considering the wide definition, and potential involvement of multiple entities in deciding the purpose and means of processing personal data in any insurance transaction, it is presently unclear whether the Insurer or insurance intermediary (or both) will be considered as a Data Fiduciary for the purposes of the DPDP Act. All Data Fiduciaries are bound by the specific obligations detailed under §8, and non-compliance could potentially result in adjudication and/or penalties per Schedule I of the DPDP Act. In terms of its impact on the Indian insurance framework, to illustrate, one of such obligations requires Data Fiduciaries to protect personal data by implementing reasonable security safeguards and appropriate technical and organisational measures. While the Central Government is yet to notify the manner of implementing such safeguards and measures, Insurers may need to review their existing agreements with outsourcing service providers to ensure that they are in line with these requirements[[21]].
    8. Significant Data Fiduciary: The DPDP Act introduces an additional class of Data Fiduciary as the “Significant Data Fiduciary” (“SDF”), determined on the basis of §10 of the DPDP Act. The Central Government is yet to notify the entities that are to be classified as SDFs and presently, there are no indications in terms of whether any Insurer or insurance intermediary will be classified as SDFs. Once designated, such entities will be required to comply with additional requirements detailed under §10(2) of the DPDP Act. While some DPDP Act requirements may overlap with those under the existing insurance regulatory framework[[22]], future rules or notifications from the Central Government could clarify the extent of this overlap and any additional compliance obligations for Insurers.
    9. Processing of Personal Data of children/persons with disabilities: The DPDP Act sets out specific requirements for processing of personal data of children (aged under 18 years) and persons with disabilities[[23]]. Given that Insurers collect personal data from these groups, they must ensure and be able to demonstrate that “verifiable consent” is obtained from parents/legal guardians, and that the personal data is not processed in breach of the DPDP Act. Notably, when an Insurer enters into a contract with a child’s parent and the child is only added as an insured under the policy, a separate consent may be needed regarding the processing of the child’s personal data, in addition to the consent for processing the personal data of the parents/legal guardians.
    10. Rights of Data Principal: Entities are required to ensure that the Data Principals, which includes prospects, policyholders, and any other individuals from whom personal data is collected, has the ability to exercise their rights regarding the processing of their personal data in accordance with Chapter III of the DPDP Act. However, this does not apply if retention of the same is necessary for the specified purpose or for compliance with any law for the time being in force[[24]]. As an example, some of these Data Principal rights may be affected by the IRDAI (Minimum Information Required for Investigation and Inspection) Regulations 2020 which mandate Insurers and insurance intermediaries to retain records of various forms of data for minimum periods.
    11. Transfer of Data Outside India: The DPDP Act empowers the Central Government to restrict the transfer of personal data to certain countries/territories outside India. Although these countries have not been identified yet, once notified, Insurers and insurance intermediaries will be required to cease the processing or transfer to such countries for any purposes (which may potentially include purposes such as reinsurance or policy servicing). They will also need to establish alternative arrangements to ensure uninterrupted service to policyholders.

Conclusion

The DPDP Act marks a significant shift in India’s data protection and privacy landscape, with far-reaching implications for various sectors, including the insurance sector. The Act’s broad scope and applicability, which extends to all personal data, will supersede the existing data privacy norms in India as outlined under the Information Technology Act 2000 and the SPDI Rules.

The insurance sector in India will be particularly impacted by the DPDP Act, as it historically handles a significant amount of personal and sensitive data. The DPDP Act’s broader scope, stringent consent requirements, and enhanced obligations for Data Fiduciaries give rise to a need to review all existing data handling practices, forms of consent and agreements between insurers and insurance intermediaries/other vendors.

From the ecosystems that drive mobile applications, consent forms, to data analytics and use of AI (artificial intelligence), a significant number of changes are expected. Proposal forms (both online and offline) will incorporate specific consent for specific policies based on the data required for each product. Digital applications will also be altered to comply with consent provisions. Insurers rely on data analytics and increasingly, artificial intelligence for various risk assessment, customer behaviour analysis, and marketing campaigns. The DPDP Act will impact these technologies and require a privacy-by-design approach in their development.

Furthermore, the interplay between the DPDP Act and existing IRDAI regulations, adds another layer of complexity. While there are various new requirements specified under the DPDP Act, there are also overlaps with the compliances specified by the IRDAI under the extant Indian insurance statutory and regulatory framework. Industry stakeholders are awaiting further guidance from the IRDAI and the Central Government, which will potentially address the present challenges and implement a transition to the new regime.

Footnotes 

[1]             §1(2) of the DPDP Act.

[2]             §44(2) of the DPDP Act repeals these. §43A and §87(2)(ob) of the IT Act are the provisions under which the SPDI Rules were notified. Other provisions of the IT Act will continue to remain applicable, but DPDP Act would prevail in case of any inconsistencies.

[3]             R3 of the SPDI Rules defines §2(t) of the PDP Act defines “sensitive personal data or information” as “such personal information which consists of information relating to;—

(i)           password;

(ii)         financial information such as Bank account or credit card or debit card or other payment instrument details;

(iii)        physical, physiological and mental health condition;

(iv)         sexual orientation;

(v)          medical records and history;

(vi)         Biometric information;

(vii)        any detail relating to the above clauses as provided to body corporate for providing service; and

(viii)       any of the information received under above clauses by body corporate for processing, stored or processed under lawful contract or otherwise;

provided that, any information that is freely available or accessible in public domain or furnished under the Right to Information Act, 2005 or any other law for the time being in force shall not be regarded as sensitive personal data or information for the purposes of these rules.”.

[4]             §2(t) of the DPDP Act defines “Personal Data” as “any data about an individual who Is identifiable by or in relation to such data;

[5]             §2(j) of the DPDP Act defines “Data Principal” as “the individual to whom the personal data relates and where such individual is—

(i)           a child, includes the parents or lawful guardian of such a child;

(ii)         a person with disability, includes her lawful guardian, acting on her behalf;

[6]             Data Fiduciary has been defined under §2(i) of the DPDP Act as “any person who alone or in conjunction with other persons determines the purpose and means of processing of personal data;”

[7]             The term is defined as: “(k) “Data Processor” means any person who processes personal data on behalf of a Data Fiduciary;”

[8]             §27 of the DPDP Act.

[9]             Schedule I of the DPDP Act.

[10]            §2(t) of the DPDP Act defines “processing” as a “wholly or partly automated operation or set of operations performed on digital personal data, and includes operations such as collection, recording, organisation, structuring, storage, adaptation, retrieval, use, alignment or combination, indexing, sharing, disclosure by transmission, dissemination or otherwise making available, restriction, erasure or destruction;

[11]            §3(a) of the DPDP Act.

[12]            §3(b) of the DPDP Act.

[13]            §3(c) of the DPDP Act.

[14]            §4(1) of the DPDP Act. A detailed scope of legitimate use is set out under §7 of the DPDP Act, but broadly, consent shall not be required for certain uses which inter alia include: (i) specified purpose for which data has been provided by an individual voluntarily, (ii) for the State to provide benefit or service such as subsidy, certificate, license, benefit, permits, etc., (iii) for the security of the State or in the interest of sovereignty and integrity of the country (iv) for responding to a medical emergency, treatment or health services, (v) for safety, and in interest of the security of the State and public order, and (vi) employment.

[15]            ¶3.5.2 under Chapter 2.1 “Data Classification” of the Cyber Security Guidelines.

[16]            §18 of the DPDP Act.

[17]            R4 of the SPDI Rules.

[18]            ¶3.5.1 under Chapter 2.1 “Data Classification” of the Cyber Security Guidelines.

[19]            ¶3.1(4) under Chapter 2.24 “Information Technology” of the Cyber Security Guidelines.

[20]            For reference to the information that is required to be provided while collecting personal data, please see Article 12, 13 and 14 under Chapter 3 of the GDPR.

[21]            For reference, please see: https://www.pinsentmasons.com/out-law/analysis/gdpr-the-controller-v-processor-debate-in-financial-services.

[22]            Please see Chapter 1.8 “Risk Management” and Chapter 1.10 “Compliances” of the Cyber Security Guidelines.

[23]            ¶3.5.2 under Chapter 2.1 “Data Classification” of the Cyber Security Guidelines.

[24]            §12(3) of the DPDP Act.