IT Minister Ashwini Vaishnaw introduced the Digital Personal Data Protection Bill, 2023 (DPDPB, 2023) in the Lok Sabha on Thursday, which, if enacted, will bring in a new compliance regime for enterprises.
While the Bill was met with heavy criticism from the Opposition, which asked for it to be officially referred to a Parliamentary panel for further deliberation, experts say that enterprises should not waste time in getting compliance ready.
Once the Bill is enacted, it will drive enterprises, which are referred to as ‘Data Fiduciaries’ (or those trusted with data) to process personal data of individuals in a lawful manner, for specific purposes only. The Bill will also apply to enterprises that are based outside of India that deal with serving individuals within India.
“Enterprises will have to review current ways of working especially for personal data of individuals such as their employees, customers, merchants, vendors, etc. to be able to honour the rights that individuals may exercise, such as right to access, update, erase their personal data etc.,” says Manish Sehgal, Partner, Deloitte India. “As more guidance will be released in days and months to come, it’s highly recommended that enterprises don’t wait and start their readiness journey right away, with fundamental steps of data hygiene.”
Non-adherence could attract sanctions and a commercial penalty of as high as Rs 250 crore.
Companies will have to formulate water-tight processes around where the data lies within an enterprise, who accesses it, who processes it, and how data flows from one function to another.
“The right processes, tools and solutions, governance, accountability and most importantly, awareness amongst people, are core, and must be ready,” Sehgal adds. “Once the Bill is enacted, transformation is imminent and enterprises should embrace it, not just for compliance purposes but to establish and operate in a privacy enabled environment.”
Key features and concerns
The Bill, which had three previous iterations that were eventually shelved, has been controversial in parts. Let’s take a look at some salient features, along with concerns that experts, and the Opposition, have expressed.
Cross-border data transfer
Earlier versions of the Bill proposed that a whitelist of countries be put in place, which would be eligible to receive Indian data. The DPDPB, 2023, however, instead adopts a negative list approach, which gives the government power to decide which countries get on that list, and with what criteria.
“This represents a significant shift in strategy. Based on this approach, the Indian government will have the ability to regulate and limit the transfer of personal data across borders based on specific criteria set by the Indian government,” says Supratim Chakraborty, partner at law firm Khaitan & Co. “Such power will not override any law that provides for a higher degree of protection for or restriction on transfer of personal data by an entity. The approach adopted by the Indian government in determining the criteria for the negative list and maintaining harmony between sectoral laws and the Bill will be crucial.”
Notice requirements get weaker
According to experts at the Internet Freedom Foundation (IFF), compared to the 2019 and 2021 versions, data fiduciaries do not have to inform principals about the third parties with whom their data will be shared, the duration for which their data will be stored and if their data will be transferred to other countries.
The Bill mandates that consent for the collection of personal data must meet specific criteria, including being specific, informed, unconditional, unambiguous, and limited to the extent necessary for the specified purpose. “Further, the Bill provides that even where consent is obtained for a specified purpose, the consent will only be valid where the processing of personal data is necessary for such specified purpose,” Chakraborty adds. “This provision has significant implications for businesses as they will now be required to obtain consent for purposes which are necessary for which it is being collected.”
“The Bill requires that informed and affirmative consent be taken based on a simple consent notice. A convenient way to withdraw this consent, raise grievances, and exercise certain rights like correction and erasure needs to be provided,” adds Arun Prabhu, partner and head-technology & telecom at law firm Cyril Amarchand Mangaldas.
The idea of the consent manager in the Bill is a welcome innovation, Prabhu adds. “While they are subject to a strict compliance regime, consent managers have the potential to enable individuals to monitor and manage consents in a simple, central manner, thereby reducing consent fatigue which is a global problem, and ensuring that businesses treat data responsibly,” he says.
Like Prabhu, Chakraborty says that a solid grievance redressal mechanism is key. “Further, the Bill provides a tiered mechanism where individuals will have the option to approach the Data Protection Board of India only after they have exhausted the grievance redressal process enabled by an entity,” he says. “Therefore, entities should ensure adequate technological and organisational capabilities to enable individuals to register their grievances as well as resolve grievances in a time-bound manner.”
Data Protection Board
According to IFF, the DPDPB, 2023 weakens the Data Protection Board as all appointments will now be made by the Union Government.
The Bill has also removed the obligation for data processors to independently notify the Data Protection Board of India and affected individuals of any personal data breach. The responsibility for reporting data breaches now solely lies with the data fiduciaries.
“The Bill places a significant burden on data fiduciaries for overseeing data processing activities conducted by their data processors,” Chakraborty says. “In a related development, while financial penalties for significant contraventions could go up as high as Rs 500 crore under the previous version of the Bill, the new version has retained the financial penalties in the range of Rs 50 crore to Rs 250 crore.”
Right to Information
A major concern is about the proposed amendment to the Right to Information Act (RTI). The new provision says all personal data about individuals is exempt from disclosure in answers to RTI applications. It says that there shall be no obligation under the RTI Act to give any citizen “information which relates to personal information the disclosure of which has no relationship to any public activity or interest, or which would cause unwarranted invasion of the privacy of the individual unless the Central Public Information Officer, the State Public Information Officer, or the appellate authority, as the case may be, is satisfied that the larger public interest justifies the disclosure of such information”.
“The amendment of the Right to Information Act, 2005 will significantly weaken the historically progressive law,” the Internet Freedom Foundation warns.
Another view is that the Bill has been amended to remove references to the Central Public Information Officer (CPIO) and the State Public Information Commissioner (SPIC), “which are no longer relevant since we have a full-fledged data protection regime that deals with personal information. This exception in the RTI Act existed when there was no DPDP Bill. Now that there is a law on privacy, it has to be rationalised,” explains Rahul Matthan, partner at Trilegal.
“There are of course some things I would like changed, even deleted but in general, compared to previous drafts of the law that we have seen this is a fair draft that will be good for business, and will kick-start a data protection jurisprudence in the country,” he adds.
(With inputs from Naandika Tripathi)