DATA PROTECTION
Points to consider: In addition to ensuring that all these rights are easily accessible and available to a gamer, a gaming platform should think through its UI/UX design in a manner that these rights are accounted for. Platforms should chisel their UI carefully and evaluate the relevant junctures where they can enable the data principal to exercise their rights seamlessly and effectively. The DPDP Act expects that some of these rights are not kept hidden across the platform and a user is able to find and exercise these rights simply. Managing the relationship with data processors Gaming platforms invariably engage and rely on multiple third-party service providers for various functions, be it payment processing, technology support, marketing activities, or lead generation. According to the DPDP Act, a “Data Processor” 17 refers to any person who processes personal data on behalf of the Data Fiduciary; i.e., the gaming platform. Unlike privacy legislations in some other countries, the DPDP Act has not put any direct obligations or compliance requirements on the Data Processor itself. The DPDP Act attributes responsibility solely to the Data Fiduciary, even though the processing may be carried out by third parties. 18 Having said that, it is mandatory for Data Fiduciaries to undergo such delegation or outsourcing under a valid contract only. 19 Hence, Data Fiduciaries will need to exercise control and provide clear instructions to Data Processors on how to handle the personal data through their written contracts. Data Fiduciaries may not be able to complete several obligations imposed under the DPDP Act without the cooperation and support of Data Processors. For instance, if a gamer requests the
Data Fiduciary to delete their data or withdraws their consent for further processing, a Data Fiduciary may not be able to meet this request unless the relevant Data Processor agrees to such request. Points to consider: Operators should identify and collate the list of all relevant Data Processors with whom they have shared or will share personal data of the gamer. The relevant contracts with each such Data Processor should then be examined to check if the Data Fiduciary has sufficient control and oversight over the Data Processor’s processing activities and whether such Data Processor is bound to comply with the relevant instructions of the Data Fiduciary with respect to personal data. Operators that have standard vendor contracts should revise the templates and build sufficient clauses in line with the DPDP Act. Lastly, operators should have internal standard operating procedures (SOPs) that explain the chain of command and communication while passing on requests to Data Processors. Conclusion The DPDP Act is a watershed moment in safeguarding personal data in India. This legislation was long overdue, given the number of internet users in India, the data generated by them, as well as the country’s role in cross-border trades and investments. Needless to say, the DPDP Act requires online gaming platforms to navigate the delicate equilibrium between delivering an engaging gaming experience and safeguarding gamers’ personal data. Despite the awaited regulatory specifics, swift implementation is advised to establish a preliminary foundation and then build on it as more clarity is provided through the rules and other market parallels.
Ranjana Adhikari Partner, Technology, Media & Entertainment, IndusLaw, Mumbai For information contact ranjana.adhikari@induslaw.com
Sarthak Doshi Senior Associate, IndusLaw Shashi Shekhar Misra Associate, IndusLaw
17 Section 1(2)(k) of the Act 18 Section 8(5) of the Act 19 Section 8(2) of the Act
PAGE 30
IMGL MAGAZINE | JANUARY 2024
Made with FlippingBook flipbook maker