The expression “data is the new oil” has never been truer than it is today. In the digital age, all consumer-facing businesses benefit significantly from data about consumers, and it has never been easier to collect, classify, and analyze such data, whether online or from brick-and-mortar outlets.
This data allows businesses to know their consumers better than ever before – their ages, gender, locations, phone numbers, and spending patterns are all easily available. This allows businesses to differentiate products, plan production in line with consumption, and ensure their goods and/or services are priced to retain brand value while also being enticing. Consumer data analysis is also highly beneficial for targeted advertising programs, which provide substantial returns for investments in marketing.
Unlocking the Power of Consumer Data
As a foreign brand owner partnering with Indian businesses, it is imperative that the brand owner gain access to this invaluable resource. After all, the parties won’t necessarily be wedded for life. There are several reasons why relationships between them may not last, including the will of the brand owner to set up shop in India directly.
It would be folly not to take advantage of the Indian partner’s experience and access to data. So, what are the areas to be mindful of when structuring an arrangement for the Indian market?
Data Access: A Must for Brand Owners
Consumer lists, including phone numbers, email addresses, social media accounts, etc. Typically, partners are asked to provide brand owners with perpetual access to this information, but there are often disagreements at the time of termination of relationships, resulting in a refusal to share such data.
Specific data protection law compliance requirements, such as compliance with India’s strict data breach reporting requirements, consent notices that cover access to data by the brand owner, the need for the partner to have a comprehensive documented information security program alongside specific requirements that seek compliance with the Information Technology Act, 2000, the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011(“SPDI Rules”) as well as the Digital Personal Data Protection Act, 2023 (“DPDPA”) when it is brought into force.
Brand owners must retain the right to specifically approve the licensee or franchisee’s consumer-facing privacy notices and terms of service to safeguard the brand owner’s access to data generated.
Another important source for analyzing purchasing trends, seasonal and geographic variations in demands, and the success of various discount schemes is data generated by e-commerce marketplace accounts. It is thus necessary to require partners to share reports generated from seller accounts on these marketplaces.
Data from digital marketing campaigns on social media, as well as online advertising, is an essential source that is used to determine product and business strategies, as well as potential expansion plans. Brand owners may also consider requiring partners and licensees to conduct consumer surveys to obtain feedback on the partners’ or licensee’s specific operations and the business model’s success in India.
While it is essential to ensure that brand owners have access to this invaluable data, it is equally essential to ensure that competitors of these brand owners do not gain access to this data under the termination of contractual relationships with licensees. It is imperative that suitable clauses be inserted in any agreement allowing for data audits and a scrubbing requirement that leaves it open to the brand owner to enforce such terms.
Consent to Cross-Border: Navigating Data Protection Rules
Indian data protection law is on the precipice of a sea change, with the DPDPA having received parliamentary assent but awaiting enforceability in abeyance of delegated legislation. As is the case with all other businesses, the retail sector will also be affected by the new law. While it is not currently possible to make a comprehensive assessment of how things will change without analyzing the delegated legislation, cross-border arrangements for the sale of goods and services will almost certainly be affected by the following:
- The DPDPA will apply even to foreign entities that process the personal information of Indian data subjects. However, the law’s enforceability on foreign corporations that have no presence in India remains to be seen.
- As opposed to the current law (the SPDI Rules) that requires consent only for the processing of sensitive personal data (defined as passwords, medical information, financial instrument information, sexual orientation, and biometric information), the DPDPA requires that there be a basis of processing for all personal data. Where this relates to consumers, the basis of processing will foreseeably essentially be consent. Even the level of this consent shall differ from the currently applicable requirements, as the DPDPA requires consent to be specific, informed, unconditional, unambiguous, through an explicit affirmative action, and provable.
- It will be important to identify between brand owners and licensees which party acts as the controller (called the data fiduciary under the DPDPA) and which party acts merely as a processor. Since brand owners are unlikely to act purely as processors, they will need to take steps to conform to the obligations consistent with those of a controller.
- Relatedly, the DPDPA places all compliance obligations directly on the controller, not the processor. Brand owners must ensure that any licenses contain strict obligations for compliance with the DPDPA, including executing a separate data protection addendum, if necessary. Given the considerable monetary penalties that may be imposed under the DPDPA, we have already seen many of our clients renegotiate representations, warranties, and indemnity/liability caps regarding compliance with data protection law.
- There are additional data breach reporting requirements under the DPDPA. These will likely be in addition to those already in place by the Indian Computer Emergency Response Team (“CERTIN”), which requires the reporting of all cybersecurity incidents (including data leaks and data breaches) within six hours of becoming aware of such incidents.
- There shall be additional consent requirements for the processing of a minor’s data, wherein verifiable consent must be obtained from the minor’s lawful guardian. Additionally, tracking, behavioural monitoring or targeted advertising aimed at minors is prohibited under the DPDPA.
- What may be a relief to foreign brand owners is that no specific restrictions have been placed regarding overseas transfers of Indian citizens’ personal information. However, the DPDPA allows the Indian government to notify countries to which cross-border transfer may be restricted, and it is possible that such countries may be advised based on India’s geopolitical situation.
Looking Ahead: Data as the Gateway
It is essential for foreign brand owners looking to enter the Indian market to craft agreements considering access to consumer data as a crucial factor, as data analytics is fundamental in determining the qualitative and quantitative image of the business. Therefore, brand owners must secure the right to receive, store, and analyze such data. Additionally, with the introduction of the DPDPA, the importance of obtaining compliance with applicable laws cannot be overstated. By engaging with these issues proactively, brand owners can serve their interests within the legal contours of protecting consumer data. In the long term, those prioritizing data access, security, and compliance will be best positioned to thrive in India’s dynamic retail market.
1 Comment
Pingback: Quatro Hive: Ensuring Access to Retail Consumer Data – The Key Regulatory Issues - G&W Legal | Advocates and Legal Advisors