Amidst a highly anticipated session on Thursday, Union Communications, Electronics, and Information Technology Minister Ashwini Vaishnaw introduced the Digital Personal Data Protection Bill 2023 (DPDP Bill), in the Lok Sabha. The bill seeks to regulate the processing of digital personal data while ensuring individuals' right to privacy and the need for lawful data processing.
The introduction of the DPDP Bill was met with a mix of enthusiasm and cautious optimism from industry leaders who hailed it as a landmark legislation for data protection in India.
Cybersecurity company Barracuda Networks’ India Country Manager Parag Khurana welcomed the developments surrounding the Digital Personal Data Protection Bill. He said, “Its focus on capturing consumer rights to data protection as fundamental rights and introducing light and easy-to-comply obligations for data fiduciaries indicates a step towards balancing data protection and fostering innovation. While we await further details on the implementation, we are optimistic about the potential impact of this bill on businesses and data processing in India.”
Raj Sivaraju, President, APAC, Arete, emphasised on the Digital Personal Data Protection Bill's “relentless focus” on safeguarding privacy and data rights. “With a constant emphasis on privacy and data rights, this law advocates for the protection of individuals' personal information, thereby maintaining the fundamental foundation of our digital society. By establishing rigorous regulations for data handling, the bill reinforces data protection measures, empowering businesses to build robust cybersecurity infrastructures,” he explained.
According to Namita Viswanath, Partner at INDUSLAW, the introduction of the Digital Personal Data Protection Bill in the Indian Parliament is a significant step towards establishing a standalone data protection law in India that aligns with international best practices.
Viswanath highlighted some positive aspects of the bill, including the introduction of detailed legitimate use exceptions to consent, the categorisation of Significant Data Fiduciary, and the establishment of the Data Protection Board. These provisions are expected to make the law more robust and better suited to meet the current business requirements regarding data protection.
“However, there are wide powers still reserved for the Central Government to make exceptions, as under the 2022 version of the bill, raising apprehensions about the potential for unguided and arbitrary rule-making powers under this bill," she added.
Supratim Chakraborty, Partner at Khaitan & Co, said that the provision of a negative list approach for cross border transfer of personal data instead of a white-list represents a significant shift in strategy. Based on this approach, the Indian Government will have the ability to regulate and limit the transfer of personal data across borders based on specific criteria set by the Indian Government.
“Such power will not override any law that provides for a higher degree of protection for or restriction on transfer of personal data by an entity. The approach adopted by the Indian Government in determining the criteria for the negative list and maintaining harmony between sectoral laws and the Bill will be crucial,” he added.
Meanwhile, Delhi-based legal services organisation SFLC.in noted that the DPDP Bill's deletion of Section 43A from the IT Act, which previously allowed aggrieved individuals to seek compensation for data breaches and privacy violations, raises significant concerns. The absence of a remedy for data principals who suffer losses due to privacy violations is a major gap that needs to be addressed to hold data handlers accountable.
“Deemed consent that had raised red flags earlier has been reworded but principally remains the same. Data Principals have been saddled with duties and penalties prescribed for acting in violation of these. Cross border data flow has been changed from whitelisting to blacklisting regime which is a welcome change,” said the Delhi-based legal not-for-profit organisation.
SFLC.in also felt that there was a “problematic provision” in DPDP Bill 2023, a clause added in the bill for blocking a computer resource which could be used for blocking websites and applications. “Although the consultation process took a long time, the Government does not seem to have considered the inputs received from stakeholders and recommendations from the JPC,” SFLC.in noted.
Notably, the DPDP Bill was introduced precisely one year after the government withdrew the Personal Data Protection (PDP) bill. The bill will now go through one of two possible paths: it will either be passed by both houses of Parliament and enacted into law, or it will undergo further examination by a Parliamentary Committee before a final vote.