Background and Need for the Bill
In recent years, India has witnessed a rapid surge in the adoption of digital services, including social media, e-commerce, and online financial transactions. While this digital transformation has brought numerous benefits, it has also exposed individuals to vulnerabilities related to data breaches, unauthorized sharing of personal information, and invasive surveillance.
In response to these concerns, the Indian government has proposed the Digital Personal Data Protection Bill, a comprehensive legislative framework aimed at safeguarding citizens’ digital privacy.
The Digital Personal Data Protection Bill seeks to address these concerns by setting out guidelines and regulations for the collection, processing, storage, and sharing of personal data. The bill aligns itself with global best practices, including the General Data Protection Regulation (GDPR) in the European Union, and aims to strike a balance between individual privacy rights and the legitimate interests of businesses and governments.
This article delves into the key aspects, significance, and potential impact of the Digital Personal Data Protection Bill in India.
Timeline of the Digital Personal Data Protection Bill:
The DPDP Bill has had a long, eventful history – right from when it was conceived about five years ago, to the current day.
Justice B.N. Srikrishna Committee Report (2018): The groundwork for the bill was laid by the Justice B.N. Srikrishna Committee, which was constituted in 2017 by the order of 9 judges of The Supreme Court of India, to examine data protection issues and suggest a framework for India. The committee submitted its report in July 2018, outlining key principles and recommendations for a robust data protection regime.
Draft Bill and Public Consultation (2018-2019): Building upon the committee’s recommendations, the Indian government drafted the Personal Data Protection Bill in 2018. The draft bill was open for public consultation, inviting feedback from stakeholders, experts, and the general public. This inclusive approach aimed to incorporate diverse perspectives and refine the bill’s provisions before it was introduced to the Parliament.
Introduction to Parliament (2019): In December 2019, the draft bill was introduced in the Indian Parliament as the Personal Data Protection Bill, 2019. The bill was referred to the Joint Parliamentary Committee (JPC) for further review and deliberation.
JPC Review and Stakeholder Discussions (2020-2021): The Joint Parliamentary Committee held several meetings to examine the bill’s provisions and engage in discussions with various stakeholders, including technology companies, civil society groups, legal experts, and industry associations. This phase aimed to address concerns and refine the bill’s language as much as possible.
Deliberations and Passgae (2021-2023): The Bill was finally passed by the Rajya Sabha on the 9th of August, 2023 after it was passed by the Lok Sabha a day earlier. This was a landmark event as this was the first-ever instance of a data privacy law in India that has cleared both houses of the Parliament.
Provisions of the DPDP Bill
The DPDP Bill has overarching provisions which cover multiple parties and use cases. We have listed those in the section below.
1. Scope and Applicability: The DPDP Bill applies to all individuals, entities, and organizations involved in processing personal data, regardless of whether they are located within or outside India. This wide scope ensures that both domestic and international entities are held accountable for the handling of personal data belonging to Indian citizens.
2. Data Principal Rights: The Bill grants individuals, referred to as data principals, a range of rights over their personal data. These include the right to access, correct, and delete their data, as well as the right to data portability. This empowers individuals to have greater control over their personal information, enhancing transparency and accountability among data processors.
3. Data Fiduciaries and Data Processors: The DPDP Bill categorizes entities that collect and determine the purpose of data processing as “data fiduciaries.” These entities are entrusted with the responsibility of ensuring that data processing activities are carried out in accordance with the bill’s principles. Data processors, on the other hand, are entities that process data on behalf of data fiduciaries. Both data fiduciaries and processors are required to adhere to the principles of transparency, accountability, and data minimization.
4. Grounds for Data Processing: The bill outlines specific grounds on which personal data can be processed. These grounds include the necessity of processing for the performance of a contract, compliance with legal obligations, protection of vital interests, and legitimate interests pursued by the data fiduciary or a third party. Consent is also a crucial basis for data processing, and the bill introduces provisions for obtaining valid and informed consent from data principals.
5. Sensitive Personal Data: Recognizing the heightened sensitivity of certain categories of personal data, the DPDP Bill introduces the concept of “sensitive personal data.” This includes information such as financial data, health data, biometric data, and more. Processing sensitive personal data requires explicit consent from data principals and is subject to stricter safeguards.
6. Data Localization and Cross-Border Transfer: The DPDP Bill introduces the concept of “critical personal data” that must be stored and processed exclusively within India. This measure aims to ensure that data with a strategic significance to the country remains under its jurisdiction. Additionally, cross-border transfer of personal data is allowed only under certain conditions, including obtaining explicit consent or adhering to data protection agreements between India and the receiving country.
7. Data Protection Authority: The bill proposes the establishment of a Data Protection Authority (DPA) of India, which will serve as the primary regulatory body responsible for overseeing and enforcing the provisions of the DPDP Bill. The DPA will have the power to investigate violations, impose fines, and provide guidance to data fiduciaries and processors.
8. Accountability and Data Audits: The DPDP Bill emphasizes the importance of accountability in data processing. Data fiduciaries are required to conduct periodic data audits to assess compliance with the bill’s provisions. This promotes a culture of self-regulation and helps identify and rectify any potential data protection breaches.
9. Data Breach Notification: In the event of a data breach that could harm the interests of data principals, the bill mandates data fiduciaries to notify both the DPA and the affected individuals promptly. This provision ensures that individuals are informed about breaches that might impact their privacy and security.
10. Penalties and Enforcement: To ensure adherence to the provisions of the bill, penalties are prescribed for violations. These penalties can be substantial and are categorized based on the nature of the violation. Additionally, the DPA has the authority to issue warnings, and orders, and impose fines to encourage compliance.
DPDP & GDPR: Same, yet different
While both the DPDP Bill and the GDPR share common principles concerning the protection of personal data, there are notable differences between the two frameworks:
GDPR | DPDP | |
Scope and Applicability | This applies to all EU member states and entities that process data of EU citizens, regardless of their location | This applies to entities processing personal data within India, extending its jurisdiction beyond the country’s borders only when data processing affects individuals within India. |
Data Localization | Does not explicitly mandate data localization. However, it imposes strict requirements on cross-border data transfers and necessitates adequate safeguards | Explicitly requires critical personal data to be stored within India. This contrasts with the GDPR’s approach, reflecting India’s emphasis on national security and data sovereignty. |
Consent and Age of Consent: | Sets the age of consent for data processing at 16, with member nations having the option to lower it to 13. | The DPDP Bill had initially set the age of consent at 18 but later lowered it to 16, similar to the GDPR. This aims to protect the privacy rights of minors while acknowledging their increasing digital engagement. |
Cross-Border Data Transfers | Allowed if the destination country ensures an adequate level of data protection or through the use of binding corporate rules, standard contractual clauses, or other mechanisms. | Subject to certain conditions, including obtaining explicit consent from individuals or ensuring the recipient country offers protection on par with Indian law. |
Fines and Penalties | Empowers supervisory authorities to impose fines of up to €20 million or 4% of global annual turnover, whichever is higher. | Proposes fines of up to 4% of annual turnover or INR 150 crores (whichever is higher) for violations. While the monetary value might differ, the concept of significant penalties for non-compliance aligns with the GDPR’s enforcement approach |
The Digital Personal Data Protection Bill has far-reaching implications, both good and bad, for various stakeholders, including individuals, businesses, and the government.
In the following sections, we will uncover some of those.
Benefits of the DPDP Bill
Enhanced Privacy Protection: The Bill introduces comprehensive data protection measures, empowering individuals to have greater control over their personal data. It requires data controllers and processors to obtain explicit consent from users before collecting and processing their data, ensuring transparency and accountability.
Cross-Border Data Transfers: The Bill outlines guidelines for cross-border transfer of personal data, promoting secure and regulated international data flows. It seeks to establish a balance between facilitating global business operations and safeguarding the data rights of Indian citizens.
Empowering Individuals: The Bill grants individuals the right to access their personal data, request corrections, and even request the erasure of their data under certain circumstances. This empowers individuals to manage their digital footprint and exercise greater control over their online presence.
Data Localization and Sovereignty: The Bill emphasizes the concept of data localization, requiring certain categories of sensitive personal data to be stored within India. This provision aims to strengthen data sovereignty and minimize the risks associated with unauthorized data access or breaches.
Accountability and Enforcement: The Bill introduces stringent penalties for data breaches and non-compliance with its provisions, ensuring that organizations take data protection seriously. It establishes a Data Protection Authority (DPA) to oversee and enforce compliance with the law.
On the flip side, we also have a few murmurs of apprehension about the implications of the Bill
Balancing Privacy and Innovation: A significant challenge is striking the right balance between protecting individuals’ privacy and promoting technological innovation. Stricter data protection measures could potentially hinder the development of new services and business models that rely on data usage.
Extraterritorial Application: The DPDP proposes an extraterritorial application, meaning it would govern not only data processed within India but also data processed by entities outside the country if it pertains to Indian individuals. This could lead to jurisdictional conflicts and compliance challenges for multinational companies.
Data Localization: The bill introduces the concept of data localization, requiring certain categories of personal data to be stored and processed only within India. While this is intended to ensure better control over data, critics argue that it might impede cross-border data flows and increase costs for businesses.
Ambiguity in Consent Framework: Consent is a cornerstone of data protection, and the DPDP emphasizes obtaining explicit and informed consent from data subjects. However, challenges arise in defining what constitutes valid consent, particularly in complex scenarios such as Internet of Things (IoT) devices or AI-driven systems.
Government Access to Data – intrusion into free speech: The Bill empowers the government to access personal data for national security and law enforcement purposes. This provision raises concerns about the potential misuse of data and the need for clear oversight mechanisms to prevent abuse.
Compliance Burden on Businesses: The DPDP places substantial compliance responsibilities on businesses, particularly in terms of data protection officers, record-keeping, and reporting. This might disproportionately affect small and medium-sized enterprises (SMEs).
Impact on Innovation: Some experts express concern that stringent data protection regulations might stifle innovation by making it difficult for companies to utilize data for product development and improvement. This could especially be a big problem for startups with limited resources and expertise.
Data Monopolies: While the DPDP Bill aims to give access to data to individuals, paradoxically, strict data localization could lead to the consolidation of data in the hands of a few large players capable of complying with these requirements, thereby reinforcing data monopolies.
These apprehensions are further fuelled by
Data Protection Authority: The DPDP envisages the establishment of a Data Protection Authority (DPA) responsible for enforcement and oversight. Open questions surround the independence and effectiveness of the DPA, as well as its relationship with other regulatory bodies.
Cross-Border Data Transfers: The bill’s provisions on cross-border data transfers lack clarity. It remains unclear under what circumstances data can be transferred outside India and what safeguards need to be in place to ensure adequate protection.
Data Protection Impact Assessments (DPIAs): The bill introduces DPIAs as a tool to assess the impact of data processing activities on individuals’ privacy. However, the criteria for when and how DPIAs should be conducted require further elaboration.
Children’s Data Protection: Safeguarding children’s data is of paramount importance. The DPDP acknowledges this by requiring parental consent for processing children’s data. Yet, defining the age at which parental consent is not needed remains a question.
Data Localization Costs: The impact of data localization on businesses, especially smaller enterprises, is still uncertain. It’s essential to address how these potential costs will be managed to ensure a level playing field.
Conclusion
The Digital Personal Data Protection Bill is a significant step toward safeguarding the digital privacy of Indian citizens in an increasingly interconnected world. By introducing strict guidelines for data collection, processing, and storage, the bill seeks to restore control over personal information to its rightful owners.
While challenges related to implementation and balancing interests persist, the bill’s potential to foster trust, enhance data security, and empower individuals cannot be understated. As India strives to lead in the digital age, the successful enactment and enforcement of this bill could serve as a model for data protection globally.
Share your feedback by writing us at shivani@idfy.com or filling out a form here.