The Digital Personal Data Protection Bill, 2023, which has been tabled for passing before the Lok Sabha has the potential to play a significant role in shaping the Indian technology policy landscape and indeed the sector for years to come.
As many have already highlighted, a key aspect of the Bill is the establishment of a Data Protection Board (DPB) to enforce much of its contents. An understanding of the nature of this Board and the objectives it seeks to realise is therefore essential for evaluating the Bill.
A comparison between this Bill and a draft version that was released for consultation in November 2022 reveals a general fleshing out of concepts that were already introduced in the consultation. This rings true for the DPB, which, as a concept, is markedly distinct from the Data Protection Authority that had been envisaged under previous iterations of the Bill up until 2021.
The Authority was always viewed as an all-encompassing regulator, with powers to not only implement the objective of the data protection law, but also to frame bye-laws, set out processes, procedures and standards, and enforce compliance.
As we have seen in several other jurisdictions, and for several other regulators in our own, this can be a lot to handle. While the ideal super-regulator — well-staffed, funded and well intentioned — can technically combine the various functions of rulemaking, issuing guidance, and resolving disputes, all while enforcing the law, in reality, most regulators end up having to focus on one or more of these aspects, and do some less well than others.
A regulator with a strong rulemaking remit, with its near constant engagement with industry participants, often falls into the habit of making extremely granular rules to provide for specific situations or ambiguities which may have arisen, drifting further and further away from the simplicity of its parent statute.
The consequence is often a glacial pace, reams and reams of guidance, often esoteric, with a near constant threat of regulatory overengineering disrupting innovation, and eventually, trade. This leads to greatly increased compliance costs for start-ups and small businesses, and forces businesses, especially younger ones which have less funds to spend on compliance, to resort to ignoring or working around much of the regulation to make their business viable. While there may be a place for an elaborate structure of this nature in certain spaces, the cost and impact of these in other markets can be significant.
The Bill, therefore, represents a much more practical and realistic approach to putting an effective enforcement regime for a new general data protection law in place quickly. By creating a supervisory and adjudicatory Board, rather than an Authority, — with powers to resolve grievances, investigate non-compliance, direct remedial measures, and issue penalties, — and by reserving rule-making powers with itself, the Ministry of Electronics and Information Technology (MEITY) has the ability to ensure that the rules under the Bill remain simple, legible and principles based, as is the case with the present Bill itself.
Yet, a clear recognition of the context of the Indian economy, which requires fostering the growth of the digital economy, in this shift from Authority to Board, is complemented by the idea of having the DPB as a fleet footed enforcer of obligations of Data Fiduciaries through stiff penalties and fines in order to safeguard the personal data of citizens.
The DPB has not been contemplated as a forum for awarding damages and compensation to persons affected by data breaches and unlawful data processing, or for awarding imprisonment to those who violate provisions of the Bill. While this enables the DPB to focus on ensuring that obligations are adhered to by Data Fiduciaries (rather than discharge any compensatory role), it has the additional benefit of ensuring that Data Principals act primarily out of concern for their information, rather than with the hope of obtaining compensation.
The present Bill also appears to have taken cognizance of much of the feedback received post the release of the consultation paper in November 2022. The Bill now expressly sets out the composition of the DPB, the qualifications, duration of appointment, and grounds for removal of its Chairperson and Members. The introduction of a one-year cooling-off period is a critical improvement and helps ensure that the watchdog remains impartial.
Another key change in the Bill is designating the TDSAT as the appellate body, as the TDSAT is already functional and possesses years of experience in adjudicating disputes pertaining to technology, including under the Information Technology Act, 2000.
Given the inherent complexities involved in legislating for data protection, there are bound to be differences in opinion on the best approach for doing so. What is perhaps more important in the larger scheme of things is that India is now likely to possess a data protection regime backed by a much-needed watchdog whose objective is to act swiftly in the event of data breaches and unlawful data processing. There are clear improvements in the manner in which the DPB is envisaged under the present Bill as compared to what was earlier suggested in the draft consultation paper. That being said, it is hoped that the DPB lives up to its name and plays a lead role in protecting the personal data of Indians in the times to come.
Cyril Shroff is the Managing Partner at Cyril Amarchand Mangaldas. He has over 41 years of experience in a wide range of practices areas, including corporate and securities law, disputes, banking, bankruptcy and infrastructure.
With Contribution from Ashirbad Nayak, Associate