The bill was introduced in Parliament by Ashwini Vaishnaw, minister for communications, electronics, and information technology, marking a step towards creating India’s first law on data protection and privacy.
Several members of Parliament (MPs) said the bill gives the government excessive powers to block any content on any platform, citing public interest and sweeping exemptions to the government while processing user data without consent.
Some said there was ‘excessive centralization of power’, with the Centre empowered to exempt any government or private agency from the implications of the law. Some members cautioned that government would decide on appointments to the Data Protection Board, the appellate authority for grievance redressal, which may adversely impact the independent functioning of the board.
Vaishnaw said the bill had been established on the principles of ‘legality, limitation of purpose, data minimization, data accuracy, limitation of storage, reasonable safeguards and accountability.’
“Data of users by any government or private agency can be taken only on the basis of law. The data has to be used for the sole purpose for which it has been obtained, and only that much data needs to be obtained which needs to be used. Anything more than that is not necessary,” he said in the Lok Sabha amid sloganeering from the opposition.
“If there’s a change of data of users, it is the responsibility of the platforms and the right given to the users. Data taken can be stored for a limited time and not beyond that. The data taken by the agencies has to be protected by them, and the agencies will be held responsible for the same,” the minister added. The bill was passed via voice vote after a short debate.
Legal experts and civil society observers said while the bill was a step in the direction of finally having a law for data protection, several gaps remain. “For instance, the bill does not indicate the kind of security safeguards which need to be adopted by data fiduciaries for preventing data breaches, to be considered as ‘reasonable’, although a hefty penalty of up to ₹250 crore has been prescribed for non-compliance with this requirement,” said Shreya Suri, a partner at IndusLaw.
Manish Sehgal, partner, risk advisory at Deloitte India, said driving robust protection and security measures, combined with effective privacy policies and grievance redressal, were the layered requisites towards compliance with the bill.
On the provision of blocking of data by a data fiduciary in the interest of the general public, legal experts said the grounds appeared vague and would have to be interpreted taking into account judicial precedents. “If there is no public interest ground, such blocking orders may be challenged. There are hefty penalties prescribed if intermediaries do not comply with blocking orders,” said Tanisha Khanna, leader, media, entertainment and gaming practice at Nishith Desai Associates.
Compliance will demand significant resources, especially for small and medium-sized businesses that may not currently have the required data management systems in place. Some added that implementing the law could increase the cost of doing business.
“Given the stringent norms and steep penalties, it would be interesting to understand the evolution of the protective insurance landscape to cover the risks. The regulations may lead to eventual consolidation across sectors as smaller businesses might find it difficult to cope with the proposed regulations,” said Divakar Vijayasarathy, founder and chief executive of DVS Advisors.
A senior policy adviser said that a proposal to give companies two years to become compliant with the upcoming law has been floated, even as most tech companies operating globally were compliant with European Union’s GDPR, which is far more stringent than India’s DPDP.
“This means that operationally, this should not be a major challenge for most companies to comply with,” the person added, asking not to be named.“Since the bill does not differentiate between personal data and critical/sensitive personal data, it will be interesting to see how compliances unfold at a pan-India level, especially since notice and consent requirements will trigger even when name and phone number/e-mail ids are collected,” said Huzefa Tavawalla, head, disruptive technologies practice at Nishith Desai Associates, noting that the move was a paradigm shift from the existing data protection rules which trigger compliances only for sensitive personal data.
“One key challenge is that most Indian legislation do not come with specific timelines that define by when user data is to be expunged. As a result, this is an area that may need to be looked at eventually by the government for clarifying the stance on data erasure,” said Supratim Chakraborty, partner, Khaitan & Co.
Experts also noted that the bill was a step towards India meeting the global adequacy requirements, where minimum standards for processing will still be required to be implemented. Some specific relaxations for startups have also been attempted to promote ease of doing business.
“The bill levels up the standard of compliance by a significant degree for all data fiduciaries (startups or otherwise), as compared to how things stand today. As a consequence, businesses will need to review not only their internal practices but also their user interfaces to ensure compliance,” said Suri of IndusLaw.
On the positive side, the bill leaves scope for the creation of many different avenues of jobs, said some observers. For instance, in the case of significant data fiduciaries, the bill will bring the need for data protection officers who must be based in India, conduct data protection impact assessment (DPIA) and appoint independent data auditors to conduct data audits. “Plus, every company will now need to offer their notice and consent documents in 22 Indian languages, which leaves a major segment open for translation firms,” said Chakraborty.
Hemant Krishna, partner, Shardul Amarchand Mangaldas & Co., said that despite the volume and variety of personal data in India, due to the absence of a proper privacy framework, citizens have not had sufficient control over their data, and businesses have struggled to find legitimate ways to collect and process personal data. “That is all set to change when the DPDP Bill becomes law,” he said.
Download The Mint News App to get Daily Market Updates.
Updated: 08 Aug 2023, 01:02 AM IST