Through the lens of fashion: India’s Digital Personal Data Protection Act 2023

With global data breaches rising, Remfry & Sagar lawyers Cyril Abrol and Radha Khera explain how the new Indian law will increase protections for luxury consumers

In 2022, some 2.3 billion personal data records were exposed in data breach incidents Maksim Kabakou

Earlier this year, it was reported that for the year 2022, around 2.3 billion records containing personal data were exposed in data breach incidents globally – with India being one of the most impacted countries. Of these, statistics reveal that most breaches were in the healthcare and retail sector.

Data breaches are also common in the Indian fashion industry. For example, in May this year, e-commerce retailer Zivame suffered a significant data breach compromising the personal information of over 1.5 million customers. Another fashion industry data breach incident affected the personal information of over 1.3 million customers of Kewal Kiran Clothing, one of India’s largest branded apparel manufacturers. 

Last year, personal information including names, phone numbers, address, order history and credit card details of more than 5.4 million customers of Aditya Birla Fashion and Retail Limited, one of India’s largest retail enterprises was leaked from its online portal. Globally too, the fashion industry has suffered instances of personal data leaks including at companies such as Moncler, Zegna, Luxottica, Benetton and Chanel.

What makes luxury an attractive target?

Luxury is associated with the perception of high quality, safety and trust for a consumer who willingly chooses a sense of stature and comfort while making purchasing decisions. Thus, for a luxury brand, upholding that trust and maintaining its reputation is critical. Luxury has thus far restricted its retail through brick and mortar stores and its move to e-commerce has been relatively recent. With customers typically comprising high net worth individuals, luxury brands possess their personal information. Moreso, several luxury brands collect detailed personal information in their endeavour to render continuous quality offerings and tend to store personal data for longer durations. 

Take the example of Hermes, the Parisian brand that dons a ‘quota system’ for Birkin and Kelly bags, limiting purchases to two pieces a year. The ability to possess these bags comes with the prerequisite of multiple purchase history with Hermes. Another example is Rolex watches, where some models have a waiting period of up to 10 years. Even then, a large spending history is prerequisite for, say, the Daytona model. Thus, if attacked with a data breach, not only is the personal information of highly valued individuals made available to hackers, it puts them in the uncomfortable position to negotiate with luxury brand owners who may be willing to go to any extent to preserve their brand’s reputation.

India’s framework on data protection

While India can be said to have legislation on cyberattacks and data protection through the Information Technology Act 2000 and the rules framed thereunder, these were found to be insufficient to address the dynamic digital landscape. 

In 2017, the Supreme Court declared Right to Privacy as a fundamental right in the Puttaswamy case and soon thereafter steps were taken to build dedicated legislation on protection of personal data and privacy in India. In the Puttaswamy case, India’s ‘Aadhar’ scheme, the world’s largest biometric system towards issuing unique identification numbers to all residents of India, was challenged on the misuse of sensitive biometric data and unauthorised disclosure to third parties. Setting the tone for the new Digital Personal Data Protection Act (DPDP), this case highlighted the need for a dedicated law to protect personal data and privacy in India.

What does the Digital Personal Data Protection Act have to offer to the fashion industry?

The DPDP Act aims to safeguard individuals’ digitised personal data thereby necessitating a profound shift in how fashion houses handle customer information. This legislation introduces requirements for collection, processing and protection of digital personal data in a business friendly manner. The Indian fashion industry is taking this as a strategic opportunity to redefine fashion retail. In the fast-paced world of e-commerce, data is the new gold. 

One of the fundamental aspects of the DPDP Act is transparency. Indian fashion houses, online or off-line, are meeting requirements by being conscious of what digitised personal data they collect, the manner of its use, and, most importantly, complying with the requirements of obtaining specific, affirmative user consent. This isn’t just about ticking checkboxes, it is about building trust with valued customers.

The law requires extensive data security measures both on organisational and technological levels. For fashion marketplaces and e-commerce platforms, this means investing heavily in cutting-edge cybersecurity functionalities to protect customers’ personal data. In the case of cross-border transactions, while Indian law permits the free flow of information globally, barring any blacklisted jurisdictions, fashion houses will need to navigate international data transfer regulations including requirements of the General Data Protection Regulation of the European Union which is considered to be a benchmark for personal data protection.

Compliance with the DPDP Act also requires conforming to customer rights over their personal data. Consumers can request access to their personal data, require maintenance of accurate information and even demand its deletion or withdraw their consent. Fashion brands and marketplaces need to provide a platform offering greater control to its customers over their personal information.

Challenges but breakthroughs

For smaller fashion marketplaces and e-commerce start-ups, while the Indian law suggests exemptions to notified start-ups, compliance with the DPDP Act may pose challenges due to the enormous costs associated with data protection measures and the potential need for legal expertise. This may lead to market consolidation, with larger players better positioned to handle compliance. 

Another important aspect is that fashion e-commerce thrives on personalised recommendations and targeted advertising. The DPDP Act necessitates a careful balance between personalisation and privacy. Algorithms used for recommendations and targeted advertising will need to be more refined, relying on consent-based data and the use of technological measures including anonymising data to ensure compliance.

The law also provides enhanced safety for children, prohibiting targeted advertising. Fashion houses, here again, will need to ensure compliance with legal requirements. The DPDP Act isn’t just about adhering to rules; it is about reimagining how one connects with their consumers in a digital world. The Act gives an exciting opportunity to lead with transparency, security and user-centricity. Fashion marketplaces and e-commerce businesses that embrace this new era of data protection will not only pre-empt imposition of hefty penalties prescribed under the Act but thrive by building trust and loyalty and enhancing market perception, goodwill and brand value.

The way forward

The digital age is witnessing increased engagement and the DPDP Act is likely to create a safe playground for transmission and exchange of digitised personal data, fostering an environment where consumers may feel safer sharing their details. With the increased instances of data leaks, the DPDP Act is likely to have a favourable impact on digital consumption leading to growth of India’s digital economy. 

Although the law mandates limitation on retention of data, thereby causing challenges to business strategies on customer engagement, several fashion brands and marketplaces operate on subscription-based models or are based on models where consumers prefer that brands retain their information for better customer engagement, keeping their customers updated with new collections and sharing deals and offerings. The DPDP Act may also help spur innovation where one may find businesses creating newer ways to personalise the shopping experience while respecting consumer privacy.

As the DPDP Act unfolds, fashion retail, and specifically e-commerce, is set to undergo transformation where data protection and customer privacy become not just obligations, but essential elements of business success. Once the Act comes in force (which may be expected in the coming month), it remains to be seen how brands will embrace the new wind in their favour, optimising consumer experience with an enhanced obligation to keep personal data safe.

Cyril Abrol is a partner leading the corporate and commercial law practice at Indian law firm Remfry & Sagar, while Radha Khera is a qualified luxury, fashion and intellectual property attorney at the firm. Both Cyril and Radha are EU-GDPR certified privacy professionals and can be reached at [email protected] and [email protected].

Email your news and story ideas to: [email protected]