What Happens When Digital Personal Data Protection Bill Is Enacted Industry experts share thoughts on Lok Sabha passing the DPDP Bill, 2023 yesterday
By S Shanthi
You're reading Entrepreneur India, an international franchise of Entrepreneur Media.
With Lok Sabha passing the Digital Personal Data Protection (DPDP) Bill 2023 on Monday, we are now inching close to the bill becoming a law. This will determine how private and government entities can use or process citizens' data.
After the milestone was achieved yesterday, we asked industry experts to share their thoughts on the same. But, before we get to that, here is a backgrounder on the bill.
DPDP Bill: A snapshot
The initial draft of the bill was introduced in November of last year and after several rounds of public consultation. The Joint Parliamentary Committee reportedly suggested stricter compliance requirements for companies. "Sufficient safeguards have been provided in the bill to ensure that data is only accessed through a fair and proportionate procedure," head of the committee PP Chaudhary said. According to reports, the committee proposed over 200 amendments.
On July 5th, the Union Cabinet approved the draft DPDP Bill for tabling in the upcoming monsoon session of Parliament, according to a PTI report, citing an official source.
The bill proposes to levy a penalty of up to INR 250 crore on entities for every instance of violation of norms in the bill. According to the source, the bill includes almost all the provisions of the last draft that was issued by the Ministry of Electronics and Information Technology for consultation.
"The purpose of this Act is to provide for the processing of digital personal data in a manner that recognizes both the right of individuals to protect their personal data and the need to process personal data for lawful purposes, and for matters connected therewith or incidental thereto," according to an official statement by the government. Here is everything you need to know about the bill.
It all started in August 2017 when the Supreme Court said that privacy is a fundamental right and that the privacy of personal data and facts is an important part of the right to privacy. A nine-judge bench of the Supreme Court of India, during the hearings in the K.S. Puttaswamy vs. Union of India (2017) "right to privacy" case, affirmed the right to privacy as a fundamental right. Later, a nine-member expert committee was created to examine various issues related to data protection in India, headed by Justice B. N. Srikrishna. In July 2018, the Committee submitted its report and a draft Personal Data Protection Bill, 2018 to the Ministry of Electronics and Information Technology.
Industry reactions
Manish Sehgal, partner, Risk Advisory, Deloitte India: "Data protection bill once enacted will enhance the privacy cognizance of Indian citizens by empowering them with their privacy rights through transformative accountability measures to be adopted by enterprises. Driving robust protection and security measures, combined with effective privacy policies and grievance redressal are the layered requisites towards its compliance."
Shreya Suri, Partner, INDUSLAW: "As we inch closer to the long-awaited personal data protection legislation reaching 'enactment' status, there are still some gaps which would necessarily need to be addressed. For instance, the bill does not indicate the kind of security safeguards that need to be adopted by data fiduciaries for preventing data breaches, to be considered as 'reasonable', although a hefty penalty of up to INR 250 crores has been prescribed for non-compliance with this requirement. Gaps aside, the Bill is still a huge positive step towards India meeting the global adequacy requirements, and despite exemptions granted to state instrumentalities in certain limited instances, minimum standards for processing will still be required to be implemented. Some specific relaxations for start-ups have also been attempted to promote ease of doing business. That said, the Bill levels up the standard of compliance by a significant degree for all data fiduciaries (start-ups or otherwise), as compared to how things stand today. As a consequence, businesses will need to review not only their internal practices but also their user interfaces to ensure compliance."
Hemant Krishna, partner, Shardul Amarchand Mangaldas &Co.: "Data is the currency of the digital age and processing of personal data is the pivot around which today's digital economies revolve. Now, with the strides made by AI, personal data can be processed with unprecedented velocity and sophistication. Ironically, despite the volume and variety of personal data in India, due to the absence of a proper privacy framework, citizens have not had sufficient control over their data and businesses have struggled to find legitimate ways to collect and process personal data. That is all set to change when the DPDP Bill becomes law. This law when enacted will touch the lives of more Indian citizens and businesses than any other in recent times."Dr. Vikas Kathuria, Associate Professor, School of Law, BML Munjal University: "The Digital Protection Act brings in the much-needed legal framework to foster trust in digital markets. On one hand, it protects the privacy of Indian digital citizens on the other hand it enables digital markets to grow more responsibly. In the absence of a data protection framework, businesses followed self-regulations that were not homogeneous. The new Act provides a common framework that will be applicable across the industry. In the short run, the Act will increase the compliance burden of smaller forms. With the passage of time, however, such compliance becomes standard. Moreover, this framework will increase the trust of users in newer and lesser-known firms. Thus, small firms need not fear the compliance cost."
Sivarama Krishnan, partner and leader, Risk Consulting, PwC India & leader of APAC Cyber Security & Privacy, PwC: India is fast emerging as a leader in the global digital economy, thanks to a range of factors, including the digital initiatives of the Government and the increased digital adoption among consumers. Data is and will remain the key component of this thriving digital economy. The DPDP Bill 2023 is a much-needed leap in the right direction as it establishes the rights and duties of 'Data Principals', the owners of data, and the obligations and liabilities of 'Data Fiduciaries', who collect, store, and process the data.