The Digital Personal Data Protection Bill, 2023 (DPDP) was tabled in the Lok Sabha on Thursday with Opposition parties raising some objections. The new Bill is the Indian Government’s second attempt at drafting legislation related to privacy. The main objective of the Data Bill is to regulate the processing of personal data along with ensuring a person the right to protect their data. The new bill has been welcomed by India Inc with many hailing it as a remarkable step towards ushering in India’s ‘techade’. Many also believe that the new bill set a new international precedent in terms of data protection framework. 'A much-needed bill' Manish Sehgal, Partner, Deloitte India said it was the moment the nation had been waiting for the past few years. According to Sehgal, once enacted, the bill enables individuals (referred to as Data Principals) to govern their own personal (digital) data and will drive enterprises (referred to as Data Fiduciary) to process the personal data of individuals lawfully. “In view of the bill’s extraterritorial coverage, enterprises based outside India serving individuals in India will also be expected to adhere to the provisions of this Bill, once enacted. Enterprises will have to review the current ways of working, especially for the personal data of individuals such as their employees, customers, merchants, vendors, etc. to be able to honour the rights that individuals may exercise, such as the right to access, update, erase their personal data etc. Non-adherence of obligations listed in the bill may attract sanctions and commercial penalty as high as Rs 250 crore,” said Sehgal. Towards compliance & transparency The DPDP bill is seen as a significant milestone toward addressing the data protection concerns that have been a matter of contention for a long time. “With its comprehensive framework, the bill places reasonable obligations on data fiduciaries and processors, ensuring responsible handling of digital personal data. The emphasis on free and informed consent reinforces citizens' fundamental right to privacy. The establishment of a data protection board further strengthens the legislation, ensuring compliance, remedial measures, and penalties when necessary. The Board's empowerment to function as a digital office, handling complaints, allocating cases, and making decisions by adopting techno-legal means, adds to the efficiency and transparency of the entire process,” said Akshay Garkel, Partner, Grant Thornton Bharat. “Overall, the bill is a positive step towards safeguarding data privacy, promoting transparency in data practices, and marks a milestone for India's Digital future,” added Garkel. More rights to individuals The DPDP bill which has been drafted by MEITY is seen as a forward-looking legislation that has a broad scope across sectors and will have an impact on businesses of all sizes. “The DPDP Bill strikes an important balance in protecting users’ rights and promoting innovation in digital businesses. Its key business-friendly provisions include eliminating criminal penalties for non-compliance, facilitating international data transfers, etc. On the other hand, it also provides for a comprehensive set of rights guaranteed to data principals which aims to create a transparent and accountable data governance framework going forward. We laud the DPDP Bill as an important step towards building a new legal architecture for digital businesses and the ushering in of India’s techade,” said Shahana Chatterji, Partner, Shardul Amarchand Mangaldas & Co. Advantages and limitations Apart from describing what constitutes personal data, the new legislation also brings forward its applicability and scope. As part of the reform, a new Data Protection Board will be set up to scrutinise non-compliance and impose penalties for the same. While the Bill seems to offer a lot of powers to individuals, there are some limitations too. “The government has been given a lot of powers under the Bill and there is no sufficient legislative guidance provided regarding these. Section 43 A of the IT Act which provided a remedy to aggrieved persons to get compensation has been deleted. However, the bill does not provide for compensation to be granted for data principals whose privacy has been violated and who have suffered a loss. Deemed consent that had raised red flags earlier has been reworded but principally remains the same. Data Principals have been saddled with duties and penalties prescribed for acting in violation of these. Cross border data flow has been changed from whitelisting to blacklisting regime which is a welcome change,” said Prasanth Sugathan, Legal Director at SFLC, a legal services organisation. Further elaborating on the limitations, Sugathan said that another problematic provision was a clause added in the bill for blocking a computer resource that could be used for blocking websites and applications. "Although the consultation process took a long time, the Government does not seem to have considered the inputs received from stakeholders and recommendations from the JPC." On rights and consent The revised bill on data protection introduces a slew of changes including the new definition of ‘deemed consent’. It directs appeals against Data Protection Board orders to the Telecom Disputes Settlement and Appellate Tribunal (TDSAT) instead of the High Court invariably introducing a negative list for data transfer limitations. The objective behind these changes is to clarify and strengthen data privacy. “As we delve into the revised draft of the law, some of the changes seem to be particularly intriguing to note. The much-debated 'deemed consent' clause has now been given the colour of 'legitimate uses,' encompassing instances where individuals willingly provide personal data without indicating objections to its use. Another notable change is that all appeals against the orders of the Data Protection Board will be directed to the TDSAT instead of the High Court. Additionally, the introduction of a negative list for data transfer restrictions seems to be a promising step towards bringing much-needed clarity to cross-border transfers,” said Harsh Walia, Partner at Khaitan & Co. Data processing jurisdiction The latest draft acknowledges stakeholder input and aims to balance the fundamental privacy rights of Indians and the reasonable limitations on those rights, business viability, and international standards for adequate data processing jurisdiction. This has been in the making for the past five years, and indeed is seen as a positive step. “What is special about this version is the care and attention given to bring in Illustrative examples which will serve as guiding principles for critical concepts around ‘consent’, ‘notice’, and ‘legitimate uses’, among others. Another heartening aspect about this piece of legislation is that the Ministry has been receptive to feedback to a large extent, such as lowering the age requirement for seeking parental consent for limited use cases on the basis of a determination to be made by the government. Another interesting feature is that this version points towards a jurisdiction blacklisting format with respect to the permissibility of cross-border data processing activities, unlike other major jurisdictions like the EU, where the approach is to identify and whitelist jurisdictions with adequate legal standards,” said Shreya Suri, Partner, INDUSLAW.
