India’s Digital Personal Data Protection Bill Moves Through Parliament

India’s Digital Personal Data Protection Bill of 2023 passed in the lower house of Parliament and will now face the higher house before it becomes law. Highlights of the bill include:

  • The Bill will apply to the processing of digital personal data within India where such data is collected online, or collected offline and is digitised.  It will also apply to such processing outside India, if it is for offering goods or services in India.
  • Personal data may be processed only for a lawful purpose upon consent of an individual.  Consent may not be required for specified legitimate uses such as voluntary sharing of data by the individual or processing by the State for permits, licenses, benefits, and services.
  • Data fiduciaries will be obligated to maintain the accuracy of data, keep data secure, and delete data once its purpose has been met.
  • The Bill grants certain rights to individuals including the right to obtain information, seek correction and erasure, and grievance redressal.
  • The central government may exempt government agencies from the application of provisions of the Bill in the interest of specified grounds such as security of the state, public order, and prevention of offences.
  • The central government will establish the Data Protection Board of India to adjudicate on non-compliance with the provisions of the Bill.

But all of this does concern me:

  • Exemptions to data processing by the State on groundssuch as national security may lead to data collection, processing, and retention beyond what is necessary.  This may violate the fundamental right to privacy.
  • The Bill does not regulate risks of harms arising from processing of personal data.  
  • The Bill does not grant the right to data portability and the right to be forgotten to the data principal.
  • The Bill allows transfer of personal data outside India, except to countries notified by the central government.  This mechanism may not ensure adequate evaluation of data protection standards in the countries where transfer of personal data is allowed.

Ani Chaudhuri, CEO, Dasera had this comment:

In today’s hyper-connected world, data is businesses, governments, and individuals lifeblood. The Digital Personal Data Protection Bill, 2023, tabled by the Indian Parliament, promises to reshape India’s digital ecosystem fundamentally. However, some provisions raise eyebrows, and some sigh relief. As the CEO of a leading data security and governance firm, here’s my perspective:

1. Applicability and Scope: The Bill’s clarity on what constitutes digital and non-digital data is commendable. This distinction is pertinent in our digital transformation era, where data can easily traverse between these forms. However, the territorial applicability might leave room for data misuse if foreign entities do not offer goods or services but still process Indian data.

2. Consent: The Bill strengthens the individual’s position as the custodian of their data. The stipulation around explicit affirmative action for consent is a commendable step forward. However, the reliance on “consent managers” might introduce new business complexities.

3. Grounds of Processing: The shift from ‘deemed consent’ to ‘legitimate uses’ presents challenges and opportunities. While it offers clarity, it significantly burdens businesses to rethink their data collection and processing strategies.

4. Data Fiduciaries: The onus on data fiduciaries to ensure compliance even when they outsource the processing is a welcome move. This will ensure a chain of responsibility and enforce better data practices.

5. Cross-border Transfers: A “negative list” approach, while seemingly liberal, might lead to complications if the principles on which countries are barred aren’t transparently laid out.

6. Blocking Power: A potentially controversial move. Any power to block public access must be exercised with utmost caution, ensuring it does not stifle freedom of expression or business continuity.

7. Exemptions: A double-edged sword. While exemptions might be necessary for state functionality, they shouldn’t become a backdoor to bypass the very essence of the bill.

8. Penalties: Reducing the maximum penalty suggests a softer stance on non-compliance. Whether this is conducive to robust data protection or simply a concession to businesses is up for debate.

Overall, the 2023 Bill is a thoughtful attempt to balance protecting individual rights and fostering business growth. However, the concerns around compliance costs, especially for startups, are genuine. Without ‘deemed consent’ will undoubtedly introduce more rigidity into the system. While data protection is of utmost importance, we must ensure that we do not inadvertently stifle innovation and business growth.

Although lacking specific timelines, the phased approach to implementation gives businesses a window to adapt. However, startups may bear the brunt, given the high compliance costs. The bill in its current form appears to swing the pendulum more towards protection and less towards ease of doing business.”

While the Bill addresses several data protection concerns, it remains to be seen how its implementation will affect the digital landscape in India. What’s imperative is a continuous dialogue between stakeholders to ensure the Bill serves its purpose without stifling the Indian digital ecosystem.

I am very suspicious of this bill personally because of the privacy related concerns that I highlighted earlier, among other concerns. But there are things that could be considered “good” in this bill that I will see how it is implemented and what the effects of that implementation are before passing judgement on it.

Leave a Reply

%d bloggers like this: