- The bill is a crucial step towards achieving the vision of global standard cyber laws for India’s $1 trillion digital economy, IT Minister says.
- Non-adherence of obligations listed in the bill may attract sanctions and commercial penalty as high as Rs250 crore, Deloitte India says.
- Although the consultation process took a long time, the Government does not seem to have considered the inputs received from stakeholders and recommendations from the JPC, SFLC says.
India is planning to deploy Digital Personal Data Protection Bill 2023 (DPDP) which regulates the processing of digital personal data while ensuring individuals’ right to protect their data and the need to process it for lawful purposes.
The bill was tabled in the Lok Sabha by Union Communications, Electronics, and Information Technology Minister Ashwini Vaishnaw, amid strong opposition from Opposition leaders who claimed it violates the fundamental right to privacy.
The opposition demanded that the bill be sent to the standing committee for thorough scrutiny, citing the withdrawal of a similar bill on data protection by the government last year.
In response, Vaishnaw clarified that the bill is not a money bill and assured the opposition that all issues raised will be addressed during the debate on the bill.
Fostering an innovative economy
Rajeev Chandrasekhar, Minister of State for Information Technology, shed light on the significance of Digital Personal Data Protection through his official X account.
He claims that the bill is a crucial step towards achieving the vision of global standard cyber laws for India’s $1 trillion digital economy.
According to Chandrasekhar, the bill was formulated after extensive consultations led by the Ministry of Electronics and Information Technology with all stakeholders.
Chandrasekhar explained that once passed by Parliament, the bill will protect the rights of all citizens, foster an innovative economy, and grant lawful and legitimate access to the government in matters of national security and emergencies, such as pandemics and earthquakes.
He described the Digital Personal Data Protection Bill 2023 as a global standard, contemporary, future-ready, yet simple and easy to understand, ensuring India’s position at the forefront of the digital world.
“With the advent of Artificial Intelligence and the need for safeguarding privacy, India’s Digital Personal Data Protection bill aspires to set and evolve the framework for businesses to adopt best practices, strengthen data governance and drive responsible data handling,” Ivana Bartoletti, Global Chief Privacy Officer at Wipro Limited, said.
Embracing a ‘Privacy by Design’ approach, she said integrates privacy measures from the inception of the technology or system development, rather than treating it as an afterthought.
“It fosters a sense of trust amongst stakeholders and can even accelerate growth opportunities.”
Presently, India does not have separate data protection legislation.
The Supreme Court of India, in 2017 had recognised privacy as a fundamental right in 2017 and highlighted the need to protect online personal data from prying eyes.
In the absence of a distinct data protection legislation, the Information Technology Act, 2000 (IT Act) along with the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011 (SPDI Rules) have been the cornerstone for data protection in India.
The Indian Government recently unveiled a comprehensive draft of the Digital Personal Data Protection (DPDP) Bill on November 18, 2022.
A problematic provision
In India, relevant government departments oversee the enforcement of data protection instead of a separate Authority. However, the draft DPDP Bill envisages setting up of a Data Protection Board of India (DPBI) to regulate the entire regime of digital personal data protection in the country.
Manish Sehgal, Partner, Deloitte India, said it was the moment the nation had been waiting for the past few years.
“Once enacted, the bill enables individuals (referred to as Data Principals) to govern their own personal (digital) data and will drive enterprises (referred to as Data Fiduciary) to process the personal data of individuals lawfully.
“In view of the bill’s extraterritorial coverage, enterprises based outside India serving individuals in India will also be expected to adhere to the provisions of this Bill, once enacted. Enterprises will have to review the current ways of working, especially for the personal data of individuals such as their employees, customers, merchants, vendors, etc. to be able to honour the rights that individuals may exercise, such as the right to access, update, erase their personal data etc. Non-adherence of obligations listed in the bill may attract sanctions and commercial penalty as high as Rs250 crore,” he said.
SFLC.in, a Delhi-based legal not-for-profit organisation, said that the Digital Data Protection Bill, 2023 has been introduced as a financial bill and the government has been given a lot of powers under the bill and there is no sufficient legislative guidance provided regarding these.
“Section 43 A of the IT Act which provided a remedy to aggrieved persons to get compensation has been deleted. However, the bill does not provide for compensation to be granted for data principals whose privacy has been violated and has suffered a loss.
“Deemed consent that had raised red flags earlier has been reworded but principally remains the same. Data Principals have been saddled with duties and penalties prescribed for acting in violation of these. Cross border data flow has been changed from whitelisting to blacklisting regime which is a welcome change.”
However, SFLC said that such data transfer restrictions are permitted in the case of specific laws in existence. A problematic provision is a clause added in the bill for blocking a computer resource which could be used for blocking websites and applications. Although the consultation process took a long time, the Government does not seem to have considered the inputs received from stakeholders and recommendations from the JPC.