Parliament on Wednesday passed the Digital Personal Data Protection Bill (DPDP), heralding what will become the country’s first law on protecting personal data. Communications and information technology minister Ashwini Vaishnaw said the bill has been made technology-agnostic so that data concepts that are still evolving can be included without requiring amendments.
The minister said the government had already started work on the implementation of the bill, and a roll-out will be seen very soon. He added that fiduciaries will be consulted for the roll-out, which will be done swiftly but with extreme caution.
“This is changing the entire digital economy, so we will take every step with proper checks, proper balance, and proper verification. We must make it a robust mechanism,” the minister said. Some officials said it might take 6-10 months, as an outer limit, to implement the law.
Some Rajya Sabha members sought clarity on mentions of privacy, compensation and harm that were missing in the bill; reputational loss due to data breaches, especially in cases of women; breach of data from other countries that are processed in India; the need for having data protection boards in each state as a grievance redressal mechanism; and prevention of data mining by startups.
The minister said carve-outs for startups were only for compliance, and this provided the room for creating regulatory sandboxes for establishing proof of product. “The exemptions given to the states are within the Constitutional framework. Compared to the General Data Protection Regulation (GDPR), where there are 16 exemptions, while here there are only four exemptions,” he said.
“Many of the things will evolve as the data protection board gives its rulings. We will understand what needs to be further done so that flexibility is there, and we have kept this bill primarily on principles. We have not kept it descriptive so that gives the flexibility of evolving as the sector evolves,” the minister told the Rajya Sabha while moving the bill, even as opposition members staged a walkout demanding a discussion on Manipur.
The minister also criticized opposition parties for not participating in the debate on the bill. “The opposition has no interest in the rights of users,” he said.
On the question of medical data being protected under the protection of user data, the minister said the bill would provide for this. He said the bill would not override any law that provides for a higher degree of protection for or restriction on the transfer of personal data by an entity.
Legal experts said the law would come at a time when India was becoming a global digital economy and hence would form a critical tool for the protection of user data. They added that data fiduciaries would have to begin preparedness for the implementation of the law.
“The data fiduciaries can consider proactively looking at the transition implementation. Of course, some of the provisions of the bill are yet to be clarified, leaving some material aspects open for interpretation by data fiduciaries, such as the implementation of reasonable security practices or what may be construed as ‘verifiable’. However, given the heavy penalties attached to breach, the data fiduciaries must proceed with due care and err on the side of caution,” said Shreya Suri, partner, INDUSLAW.
Vikas Kathuria, associate professor, School of Law, BML Munjal University said that in the short run, the Act will increase the compliance burden of smaller forms but with the passage of time, however, such compliance becomes standard.
“This Bill, currently pending presidential assent, is poised to reshape how businesses handle personal data within India. Notably, the bill introduces a negative-list approach for cross-border data transfers, allowing data flow to all jurisdictions by default unless expressly prohibited. However, stricter local laws governing data transfer will take precedence,” said Supratim Chakraborty, Partner at Khaitan & Co.
“Data is and will remain the key component of this thriving digital economy. The DPDP Bill 2023 is a much-needed leap in the right direction as it establishes the rights and duties of ‘Data Principals’, the owners of data, and the obligations and liabilities of ‘Data Fiduciaries’, who collect, store, and process the data,” said Sivarama Krishnan, Partner & Leader, Risk Consulting, PwC India & Leader of APAC Cyber Security and Privacy, PwC.
The bill envisages penalties of up to ₹250 crore per instance in the case of a data breach, lower than the ₹500 crore penalty that was proposed in the earlier draft issued in November last year. The penalty will depend on the number of instances and hence can be multiplied by that many instances.
The bill places reasonable obligations on data fiduciaries, ensuring responsible handling of digital personal data. The concept of consent managers, additional obligations on Significant Data Fiduciary and verifiable parental / guardian consent have been added to the bill.
The bill states that the Centre will decide which companies will be deemed as “significant data fiduciaries” based on multiple factors, such as its “risk to the rights of the data principal (users)”, “potential impact on the sovereignty and integrity of India”, “risk to electoral democracy”, “security of the State”, and more.
The significant data fiduciary will be determined by the impact that entity has on user data rather than the scale of the entity. The bill also mandates a significant fiduciary to have a local office and a data protection officer (DPO).
The provisions also enable the government to block a company, or impose financial penalties, in case of violations. “If any fiduciary does not stop violating the rules after two instances or being penalized twice, the government can ban or block the platform. This is critical for the protection of the users and to control large companies with deep pockets,” officials in the government have said.
Data fiduciaries will have to make stronger agreements with their partners or contractors because, in case of a breach of data between a fiduciary and a data principal, the liability will lie with the fiduciary.
The bill also includes the provision of a negative list for the cross-border transfer of personal data, under which the Indian government will have the ability to regulate and limit the transfer of personal data across borders based on specific criteria set by it.
The law comes into effect after being notified in the official gazette after it receives assent from the President. The law will come into effect six years after the Supreme Court mandated that privacy was a fundamental right. The bill has become a law in its second attempt. The government first brought out the original bill in 2019 but withdrew it last year after the joint committee of Parliament suggested 81 amendments to the bill, which had 99 sections, thus leading to overhauling of the bill to its current form.
Catch all the Business News , Breaking News Events and Latest News Updates on Live Mint. Download The Mint News App to get Daily Market Updates.