Robust compliance needs of new data protection law may raise costs for telcos
Robust compliance needs of new data protection law may raise costs for telcos
The DPDP Act introduces penalties for non-compliance, including general consequences and maximum fines for specific violations, which can amount to Rs 50 crore to Rs 250 crore,” said Gaurav Sahay, partner, SNG & Partners, Advocates & Solicitors. “It's noteworthy that there isn't a predetermined cap on penalties for multiple breaches; each offence incurs its own penalty, potentially aggregating to determine the maximum applicable fine.
Mumbai: Implementing the data protection law will increase compliance burden on the telcos, which in turn will lead to significant rise in compliance costs, legal experts said.
In addition to this, the telcos will also face increased risks of breach of law with dual roles as data processors and data fiduciaries according to the provisions of the new Act, they said.
"Implementing the provisions of the Act will result in robust compliance needs. This will translate to significantly elevated costs in terms of both personnel and software,” said Kaushik Moitra, partner at law firm Bharucha & Partners.
Since consumer consent plays a big role under the new Act, it will become paramount for telcos to process consent granted by the consumers, and also when it is modified in any form, or revoked completely. Telcos will need to invest not only in software for rigorous consent management, but also will need to employ personnel for the same.
As per the gazette notification of the Digital Personal Data Protection Act, 2023, the Centre may notify any data fiduciary as a “significant data fiduciary”, who will then be required to appoint a data protection officer to undertake periodic data protection impact assessments, conduct periodic audits and other such measures.
While it was too early to gauge the quantum of increase in compliance costs, legal experts said it will be a significant increase, more so for some telecom operators than others.
“The cost of consent compliance on a network level will be more for telcos’ older networks since the compliance will have to be met at the circle level. Those with upgraded networks will be able to centralise consent compliance,” Moitra added.
Under the provisions of the Act, the telcos can be considered both data fiduciaries as well as data processors, thus causing them to undertake dual roles when it comes to handling consumer data.
This duality will lead to increased risk of breaching the law, experts observed.
“The DPDP Act introduces penalties for non-compliance, including general consequences and maximum fines for specific violations, which can amount to Rs 50 crore to Rs 250 crore,” said Gaurav Sahay, partner, SNG & Partners, Advocates & Solicitors. “It's noteworthy that there isn't a predetermined cap on penalties for multiple breaches; each offence incurs its own penalty, potentially aggregating to determine the maximum applicable fine.”
Bharti Airtel, Vodafone Idea and Reliance Jio did not respond to requests for comment at press time. But representatives from telcos have earlier said that they are aware of the data compliance implications of the new Act.
“For telcos, it is far more significant because our consumer data gets touched by a variety of players, whether it is the SIM card manufacturers, people working in market intelligence or it could be OTT players. The identity is digital everywhere, which is the mobile number. We will look forward to how this law gets enacted on us and the compliance,” Mathan Babu Kasilingam, executive vice president - chief technology security officer, Vodafone Idea, said at a recent industry event.
Sanjeev Dhallam, vice president-core network and security, Bharti Airtel, said the telcos already have in place strong governance and security practices for the protection of data.
Apart from increasing risk of breach of law and an increase in cost of compliance, telcos also face the issue of the provisions of the new Act potentially impacting certain businesses, especially those relying on customer data to get traction.
“The outlook to reach the target audience for the telecom sector post the enforcement of the DPDP Act will be completely different and more structured,” said Vikas Bansal, associate partner, IT risk advisory & assurance, BDO India. “Companies will have a more focused target audience and a building mechanism to secure consent before any kind of business pitch. This may entail a higher percentage of consent rejection and a lower volume of target audience.”
All three telcos have made clear their ambitions to dabble in the ad-tech space through their respective ad-tech platforms. The premise of these platforms is the captive database that telcos have access to from their subscriber base. With increased focus on consumer consent, the data may not be readily available to share with third parties and hence may impact the reach that their platforms offer the client brands.
Source: Telecom