Experts opinion: 

Commenting on the bill, Manish Sehgal, Partner, Deloitte India, said to LiveMint, “The moment we have been waiting for the past few years has finally arrived! The much-anticipated privacy bill (referred to as Digital Personal Data Protection Bill, 2023), was tabled in the Parliament on Thursday, August 3rd, 2023. Once enacted, it will enable individuals (referred to as Data Principals) to govern their own personal (digital) data and will drive enterprises (referred to as Data Fiduciary) to process the personal data of individuals lawfully, for specific purposes only. Given the bill’s extra-territorial coverage, enterprises based outside India serving individuals in India will also be expected to adhere to the provisions of this bill once enacted. Enterprises will have to review the current ways of working especially for the personal data of individuals such as their employees, customers, merchants, vendors, etc. to be able to honor the rights that individuals may exercise, such as the right to access, update, erase their data, etc. Nonadherence of obligation listed in the bill may attract sanctions and commercial penalty as high as ₹250 crore.”

ALSO READ: Digital Personal Data Protection Bill likely to get approval from Cabinet today; here’s what it is

He added, “As more guidance will be released in days/months to come, its highly recommended that enterprises don’t wait and start their readiness journey right away with the fundamental step of data hygiene i.e. where is the data within the enterprise, who accesses it, who processes it and how data flows from one function to another. Right processes, tools & solutions, governance, accountability, and most importantly awareness amongst people are core to be ready. Once the bill will be enacted, transformation is imminent and enterprises should embrace it, not just for compliance purposes but to establish and operate in a privacy-enabled environment.”

Shahana Chatterji, Partner, Shardul Amarchand Mangaldas & Co. said to LiveMint, “The Digital Personal Data Protection Bill, 2023 Bill prepared by MEITY is a forward-looking legislation that will have a horizontal application across sectors and will also impact businesses of all sizes.”

She added, “As such, the DPDP Bill strikes an important balance in protecting users’ rights and promoting innovation in digital businesses. Its key business-friendly provisions include eliminating criminal penalties for non-compliance, facilitating international data transfers etc. On the other hand, it also provides for a comprehensive set of rights guaranteed to data principals which aims to create a transparent and accountable data governance framework going forward.”

“We laud the introduction of the DPDP Bill as an important step towards building a new legal architecture for digital businesses and the ushering in of India’s “techade” and remain supportive of MEITY’s ongoing regulatory efforts. We also appreciate MEITY’s efforts in conducting extensive public and stakeholder consultations for developing a robust legal framework that will set a new international precedent as far as data protection frameworks go. We hope that MEITY continues to follow this approach of multi-stakeholder engagement for future rulemaking under this new law,” she said.

What is Digital Personal Data Protection Bill?

As per details, the DPDP bill is legislation that frames out the rights and duties of the citizen (Digital Nagrik) on one hand and the obligations to use collected data lawfully of the data fiduciary on the other hand. The Bill, which seeks to govern and safeguard the use of personal data, sets out the rights and duties of users, and the obligations on businesses.

It is based on six principles of the data economy of which the first one talks about the collection and usage of the personal data of citizens of India. The collection and usage of personal data should be lawful, must be protected from breach and transparency should be maintained. The second principle talks about data collection exercises that must be for a legal purpose and the data should be safely stored till the purpose is served.

The next principle talks about data minimization which says that only relevant data should be collected of individuals and serving the pre-defined purpose should be the only aim. 

The fourth principle is regarding Data Protection and Accountability while the fifth talks about the accuracy of data. The last principle lays down the rules regarding reporting a data breach. In case of a data breach, it should be reported in a fair, transparent, and equitable manner to the Data Protection Boards.

What the DPDP bill proposes?

It proposes data protection legislation that allows the transfer and storage of personal data in some countries while raising the penalty for violations.

Also, it proposed legislation stipulates consent before collecting personal data and provides for stiff penalties of as much as ₹500 crore on persons and companies that fail to prevent data breaches including accidental disclosures, sharing, altering, or destroying personal data.

Applicability and Scope of DPDP bill:

The bill applies to the processing of ‘Digital Personal Data’ and excludes from its ambit both non-personal data and data in non-digital formats, reported HT.

This applies to processing digital personal data within the Indian territory and processing digital personal data outside India if such processing is in connection with any profiling or offering goods or services to data principals within India.

However, it doesn’t apply to non-automated processing, processing for domestic or personal purposes by individuals, and personal data about individuals contained in records that have been in existence for at least 100 years, quoted the report.

Consent Criteria:

As per the bill, the personal data of an individual can only be processed for a lawful purpose for which the concerned individual has given consent or is deemed to have given her consent. It mentions the consent should be free, specific, informed, and unambiguous. Though a clause of deemed consent has been added, that refers to situations where consent is not expressly needed.

Data Localisation and Cross-Border Transfer:

According to the current bill, cross-border data flow to certain countries and territories has been permitted, along with relaxations in data localization requirements.

Data Retention:

To determine non-compliance and imposition of penalty, Data Protection Board will be set up, which will be ‘digital by design’ and will also accept voluntary undertakings.

The Bill permits data fiduciaries to retain personal data for ‘Business Purposes’ even after the purpose for collection is no longer served by its retention.

Personal Data Breach Penalty:

In the bill, a penalty is proposed of ₹200 crore if the data fiduciary or the data processor fails to report a personal data breach to the Data Protection Board and affected individuals.

Also, for failure to ensure reasonable security safeguards, the Data Fiduciary or Processor can be penalized up to ₹250 crores.

In case of the Board, under an inquiry, determines that non-compliance by a person is significant then it may impose a penalty as specified in Schedule 1 of the Bill, not exceeding ₹500 Crores in each instance, reported HT.

With agency inputs.

Updated: 03 Aug 2023, 06:17 PM IST