After a five-year-long wait, it seems that India is finally set to have its own full-fledged data protection law. The Digital Personal Data Protection Bill, 2023, signals the ushering in of a new era in India’s digital development journey, one which recognizes the value and centrality of personal data in today’s globally interconnected digital economy, as well as one that takes cognizance of the need to safeguard such personal data from misuse.
The Bill breaks new ground in its legislative drafting. It is written in a concise, straightforward and uncomplicated manner, with minimal use of carve-outs, cross-references and legal jargon that tend to impact readability, and makes liberal use of illustrations. These have the effect of making the Bill more understandable and thereby more accessible to the general public—an important factor to consider for a law that concerns almost 700 million Indians who are digitally connected today.
The Bill has also opted for a principles-based approach that focuses on dos and don’ts, with questions of form and manner left largely to the rule-making powers of the Central government—or for digital businesses themselves to determine. Given the pace of innovation and disruption in the tech sector, it is understandable why the Bill is centred around principles and outcomes rather than modes or processes. Not only will this approach enhance the longevity of the law, it would also provide businesses with a fair degree of flexibility in achieving compliance, without such flexibility necessarily entailing a compromise on the objectives of the law.
In terms of substance, it is evident that the present Bill has settled for a unique Indian balance between protecting the rights of individuals and recognizing the needs and interests of private industry and innovation on the other, while reserving enough space for the government to continue delivering services with minimal disruption. While such a balancing act is bound to cause some consternation, it achieves an overall sense of inclusivity, with every stakeholder having emerged as a beneficiary in some manner.
Businesses are likely to benefit from the light-touch and facilitative approach of the Bill towards personal data processing that is centred around a relatively straightforward and simplified notice-and-consent regime and a much more permissive stance on the cross-border sharing of personal data than what had earlier been contemplated. These moves indicate a willingness on the government’s part to repose trust in private-sector organizations to act as responsible custodians of the personal data of their customers.
By putting in place such a rationalized and minimally intrusive data protection regime, the country could be well poised to attract global tech-based investments that could make the sector a prime mover in our quest to become a $5 trillion economy. At the same time, the Bill’s simplified data protection regime could act as a boon for the burgeoning domestic startup ecosystem by allowing for startups to be exempted from certain obligations, upon notification. This could provide the impetus required to further strengthen the Indian startup ecosystem and bolster its global competitiveness. Given the ever-increasing pace of digital penetration, a simplified data processing regime will help in bringing digital services to the doorsteps of millions in interior parts of the country.
It is, however, incumbent on the industry to stay suitably mindful of the important changes that the Bill intends to effect. In addition to the light-touch approach, the Bill contains severe financial penalties for those that do not comply with it. Transgressions could potentially cost businesses dearly, and the proposed Data Protection Board will be empowered to come down heavily on errant businesses, especially repeat offenders.
The signalling seems clear: Businesses that demonstrate a willingness to respect and protect the personal data of individuals will be allowed to operate with minimal interference, while those that do not will be held accountable.
There is an intense debate surrounding the exemptions that have been made available to the government by the Bill. These exemptions, which enable the government to perform its functions without undue constraints, are made subject to the government’s compliance with its own relevant policies on data sharing that are becoming increasingly sophisticated and granular. Of course, we also have a judiciary whose courts have not shown hesitation so far in striking down or reading down legislative or executive actions that are not in keeping with the constitutional principles of privacy that the Bill codifies.
Also under discussion is the specialized Data Protection Board to be set up. This body, whose powers and role are fleshed out by the Bill, will take up user grievances as well as references from other courts and bodies. Upon doing so, operating as a digital office, the Board will have the authority to issue directions and take emergency measures, as well as hand down a range of fines that may go up to ₹250 crore for a violation.
Much remains to be done in detailing the provisions of the new law, including in terms of rule-making, formulation of policies and the creation of a guidance code that both the government and private sector can rely on for proper compliance.
Varun Mehta has contributed to the article.
Catch all the Business News, Market News, Breaking News Events and Latest News Updates on Live Mint. Download The Mint News App to get Daily Market Updates.
MoreLess