The Union Cabinet gave its green light to the draft of the Digital Personal Data Protection (DPDP) Bill, which is now ready to be presented during the upcoming monsoon session of Parliament. The draft has been eagerly anticipated by many, and it brings some important changes to the table.
The government sought public input on an earlier draft of the DPDP Bill last November. They received over 21,000 comments from various stakeholders. According to reports, the Centre also consulted with a diverse range of organisations, including non-government stakeholders, totaling 100 in number.
Nasscom, the industry body representing the IT and software services sector, expressed its appreciation for the Union Cabinet's approval of the Digital Personal Data Protection Bill. In a tweet, Nasscom said, “We welcome the union cabinet’s approval of the Digital Personal Data Protection Bill. The extensive consultation process undertaken by the government across stakeholders is exemplary.”
According to reports, one significant change in the DPDP Bill is the removal of most of the criminal provisions related to data breaches that were present in previous versions. Instead, the focus has shifted to empowering the Data Protection Board (DPB) to take action. If organisations are found to be in breach of data protection rules, the DPB can impose penalties of up to Rs 250 crore on them. This move aims to hold companies accountable for mishandling personal data.
The DPB can further increase these fines to a maximum of Rs 500 crore, but only with the necessary approval from the cabinet. These increases won't require any amendments to the existing law.
Once the Bill is passed in Parliament, individuals, known as data principals, will gain the right to request companies to delete their personal data that was collected before any digital personal data protection regulations were in place. This includes data relating to children, ensuring that their privacy is safeguarded as well.
“From Personal Data Protection Bill 2018 to Digital Personal Data Protection Bill 2022 – the data protection bill in India has been through a journey to be India-ready! The approval by the Union Cabinet today is a significant development towards introduction of this bill before the Parliament. As this future legislation is now taking the center-stage, it is time for companies to take a call to action on the stringent measures governing data handling and processing, including data sharing and cross-border transfer,” said Harsh Walia, Partner at Khaitan & Co.
Concerns Raised
Internet Freedom Foundation (IFF), a prominent Indian non-governmental organisation dedicated to advocating for digital rights and liberties, gave its statement on Twitter expressing its concerns and recommendations regarding the Union Cabinet's clearance of a draft data protection bill.
First and foremost, the IFF emphasised the need for the upcoming draft bill to prioritise the protection of citizen data and informational privacy. The organisation expressed disappointment with the previous draft bill, DPDP Bill 2022, which it believed did not adequately recognise individual privacy rights. According to the organisation, the objective of the new bill should be to give primacy to the protection of citizen data and privacy.
The IFF also stressed the importance of informed consent as the cornerstone of the data protection framework. It criticised the DPDP Bill 2022 for including provisions for deemed consent and wide exemptions for data processing by both state and private actors. The Delhi-based organisation argued that informed consent should be a fundamental requirement to ensure individuals have control over their personal data.
Additionally, the IFF called for the removal of duties and penalties imposed on data principals in the previous bill. Instead, it recommended that the focus should be on strengthening the rights of data principals, further empowering individuals in their control over their own data.
Another major concern raised by the IFF was the lack of provisions in the previous draft bill that would enable the reform of India's surveillance architecture. The organisation argued that the new bill should include specific safeguards against overbroad government surveillance, ensuring a balance between security concerns and individual privacy rights.
Furthermore, the IFF emphasised the need for a strong and independent regulatory authority to enforce data protection measures. It criticised the questionable independence of the Data Protection Board under the DPDP Bill 2022 and called for rectifying this issue in the upcoming draft bill.
Finally, the IFF highlighted the importance of providing clear guidance for each provision in the draft bill. It criticised the DPDPB 2022 for leaving various provisions to executive rule-making without legislative guidance and scrutiny. The digital rights advocacy organisation urged for transparency and clarity in the upcoming bill to avoid ambiguity and potential abuse of power.
Weighing in on the Bill, Gowree Gokhale, Leader of the IP, Technology, Media and Telecom Practice at Nishith Desai Associates said, “Digital Personal Data Protection Bill is a much-awaited legislation. The last version of the Bill was much simpler form than the earlier versions. Various industries had given feedback on several aspects e.g., cross border transfer, handling of children’s data, deemed consent provisions, the powers of the board in levying penalties. Hopefully, the government has addressed industry concerns in the next version.”
“The government has been given rule making power on several areas. The industry will need to work closely with the government so that the rules are simple and implementable, especially for the startup ecosystem,” she concluded.