In an increasingly digital world, every aspect of commerce utilises internet services to promote businesses online. The real estate industry is no exception, with buying and selling increasingly moving online. Given the digital revolution, regulating the processing of personal data online has become all the more crucial to protect individual data against possible privacy violations by real estate companies.
The Digital Personal Data Protection Act of 2023 (DPDPA) is a much-needed piece of legislation in this context. Even though it is not presently in force and does not contain specific transitional provisions such as timelines for issuance of rules and notifications, both the physical and digital parts of the real estate industry would have to comply with its provisions once the rules are out.
The DPDPA introduces significant changes in compliance requirements, data handling practices and potential legal implications for a data fiduciary, data principal, and data processor. For this, it proposes to repeal Sections 43A and 87(2)(b) of the Information Technology Act, 2000 and replacing it with Section 44(2) of DPDPA.
As a result, the IT (Reasonable security practices and procedures and sensitive personal data or information) Rules, 2011 that currently governs collection and handling of personal information in India, would also be repealed as they were notified under the IT Act.
A data fiduciary in the real estate context would constitute real estate firms and portals such as Housing.com, Magicbricks, or websites like Justdial, etc. Similarly, a data principal will be home buyers, renters, property sellers, landlords, agents, brokers, developers, builders, etc whose data would be collected with their consent. A data processor will be any third-party software as a service company or even in-house programming teams of the data fiduciary.
Compliance requirements
Consequent upon the landmark Puttaswamy judgement of the top court, baseline principles of privacy such as consent, lawful and transparent use of personal data, purpose limitation, data minimisation, data accuracy, storage limitation, reasonable security safeguards, and accountability have found their way into the DPDP Act.
Lawful and transparent notice for consent, Section 5: Real estate companies must explicitly obtain consent from data principals providing clear privacy notices in multiple languages. They’d be required to store proof of consent in a retrievable manner [Section 6(4)] and inform the data principals of the purpose, type, and intended use of the data.
Processing will encompass collection, storage as well as use. For instance, a student named X registers with JustDial’s mobile app to look for rental properties in South Delhi. By registering with her Google account, X consents to JustDial processing her personal data in order to handle her request. The request for personal data from JustDial must therefore be accompanied by, or preceded by, a notification to X outlining the personal information that will be gathered—such as her location, phone number, Google profile etc—and how it will be processed.
Fit-for-purpose approach, Section 6(1): Real estate companies must limit data processing to what is necessary for specific purposes, transitioning from expansive data handling practices to a more focused approach. For instance, when homebuyer X downloads the housing portal app Y, it asks for X’s permission to process her data to access her location in order to provide recommendations for homes for sale nearby, and access to the contact list on her phone. X responds and provides her consent to both requests. As a result of privacy principles contextualised in DPDPA, her consent shall be limited to processing only her location as a contact list doesn’t serve any purpose.
Right to be forgotten, Section 12(1): Data principals are entitled to have their data corrected or erased. For instance, if a renter no longer wishes to list their property on Housing.com, all their associated data shall be erased upon request.
The Real Estate Regulatory Authority (RERA) mandates transparency and accountability in real estate transactions that involve handling personal data. Therefore, DPDPA’s stringent data protection requirements would complement RERA’s transparency goals by ensuring personal data is handled securely. Non-compliance of obligations by a fiduciary could potentially result in adjudication and/or penalties in line with Schedule I of DPDPA.
Impact and challenges
The DPDPA’s implementation will greatly improve safeguards and accountability in the real estate industry’s data handling practices. However, real estate companies may face a number of hurdles while establishing robust data security measures.
For instance, businesses would need to update their data handling systems and use state-of-the-art data protection solutions. Consequently, they would also need to establish compliance teams to that end. This may result in more financial and technological burden for smaller enterprises.
Furthermore, because DPDPA holds data fiduciaries responsible even in cases where data processing is outsourced, there is a chance operational expenses would rise even more. Nevertheless, companies would need to implement strong data protection measures and comply with the DPDPA provisions while upholding the rights of all stakeholders.
(WIth inputs from Savvi Singhal)
(Views are personal)
Amar Patnaik
Advocate, former CAG bureaucrat and former
member of the Rajya Sabha from Odisha