Background Note on Digital Personal Data Protection Bill, 2023 along with key highlights of DPDP Bill, 2022

 

Background

 

• According to the United Nations Conference on Trade and Development (UNCTAD), an estimated 137 out of 194 countries have established legislation to secure the protection of data and privacy of its citizens. The current statistics show that 61% of African countries (33 countries out of 54) and 57% of Asian countries (34 countries out of 60) have data protection laws, while only 48% of Least Developed Countries (22 out of 46) have data protection and privacy laws.¹
• Following the landmark ruling of the Supreme Court of India in Justice K.S. Puttaswamy (Retd.) v. Union of India² (which recognized the right to privacy as a fundamental right) there have been  endeavours made by the Government of India to establish a Data Protection Act in India. For the same, in 2019, legislation known as the Personal Data Protection Bill (PDP Bill) was presented before the Parliament. Throughout its journey, the Bill underwent several stages, including review by the Joint Parliamentary Committee (JPC) and consultations with various stakeholders.
• On 18 November 2022, the Government of India unveiled the fourth draft of the proposed privacy law, now renamed as the Digital Personal Data Protection Bill (DPDP Bill).³ This came shortly after the Ministry of Electronics and Information Technology (MeitY) had withdrawn its predecessor, the PDP Bill, in August 2022. The reason for withdrawal was for reconsidering the 80+ amendments and multiple recommendations proposed by the JPC.⁴

1

Soumyarendra Barik, “Data Protection Bill approved by Cabinet: Content, concerns”, The Indian Express, July 2023. Available at:

https://indianexpress.com/article/explained/explained-economics/data-protection-bill-approved-by-cabinet-content-concerns-8780035/.  2

Writ Petition (Civil) No. 494 of 2012.    3

“What’s in India’s new data protection bill?”, Global HR Lawyers, 06 December 2022. Available at: https://iuslaboris.com/insights/whats-inindias-new-data-protectionbill/?utm_source=mondaq&utm_medium=syndication&utm_term=Privacy&utm_content=articleoriginal&utm_campaign=article.

4

Ashneet Hanspal, Aditi Mendiratta and Gaurav Bhalla, “India: Analysis Of The Digital Personal Data Protection Bill, 2022”, Mondaq,  January 2023. Available at:

https://www.mondaq.com/india/data-protection/1267190/analysis-of-the-digital-personal-data-protection-bill-

2022#:~:text=Remarkably%2C%20the%20DPDP%20Bill%20has,80%20amendments%20and%20multiple%20recommendations.

• Thereafter, the revised Digital Personal Data Protection Bill, 2022⁵ was published on November 18, 2022 for public consultation by the Ministry.⁶ With changes, the new Bill sought to improve individual rights and their control over personal data, reinforcement of data protection regulations, and compliance with international best practices.
• Now, the new “Digital Personal Data Protection Bill, 2023” is proposed to be introduced in the Parliament in the Monsoon Session 2023. As per the discussion around the new Bill of 2023, it is anticipated that the Ministry has largely retained the provisions of The Digital Personal Data Protection Bill, 2022.⁷

Analysis of The Digital Personal Data Protection Bill, 2022*

• The 2022 Bill was published in November 2022 with an aim to regulate the gathering, storage, usage, and sharing of personal data online, aligning India with global data protection standards. It sought to address growing concerns about data privacy in the digital world and offered a comprehensive legislative framework in line with international best practices. Special provisions were included for protecting data of children, and the Bill aimed to enhance data security, empower individuals with more control over their data, and established systems for preventing and handling data breaches. By filling the existing legal gaps and demonstrating India’s commitment to privacy rights and a secure digital ecosystem, the 2022 Bill has the potential to revolutionise data privacy and protection, if rightly implemented.

Important Clauses from The Digital Personal Data Protection Bill, 2022

 

S.No .	Clause	Provided
1.	Consent	The processing of personal data shall be lawful only if the individual has given explicit consent for the collection, processing, and storage of their personal data, and such consent shall be freely given, specific, informed, and unambiguous.

5

The             Digital        Personal     Data           Protection Bill,             2022.          Available   at: https://www.meity.gov.in/writereaddata/files/The%20Digital%20Personal%20Data%20Protection%20Bill,%202022.pdf.

6

“Digital Personal Data Protection Bill, 2022: Analysis and Potential Impact on Businesses”, Nishith Desai Associates, November 2022. Available at: https://www.nishithdesai.com/NewsDetails/8453.

7

“Cabinet    approves   Digital        Personal     Data           Bill”,           The             Economic Times,        July             2023.      Available   at: https://economictimes.indiatimes.com/tech/technology/cabinet-approves-draft-data-protectionbill/articleshow/101517561.cms?utm_source=pocket_saves.

* The analysis related to The Digital Personal Data Protection Bill, 2022 has been added for reference.

 

2.	Purpose Limitation	Personal data shall be collected for specified, explicit, and legitimate purposes. Any further processing of the data shall be limited to compatibility purposes and shall require additional consent.
3.	Data Minimization	The collection of personal data shall be limited to what is necessary and relevant for the specified purposes. Excessive or unnecessary data collection shall be prohibited. Data controllers shall take measures to ensure that personal data is accurate, up-to-date, and not retained longer than necessary.
4.	Security and Confidentiali ty	Data controllers shall implement appropriate technical and organisational measures to ensure the security, confidentiality, and integrity of personal data. This includes protection against unauthorised access, accidental loss, destruction, alteration, or disclosure of personal data.
5.	Data Subject Rights	Individuals shall have the right to access their personal data, request rectification or erasure of inaccurate or outdated data, restrict or object to processing, and receive their personal data in a structured, commonly used, and machine-readable format.
6.	Data Breach Notification	In the event of a data breach that poses a risk to the rights and freedoms of individuals, data controllers shall notify the relevant supervisory authority and affected individuals without undue delay, providing comprehensive information about the breach, its impact, and the measures taken or proposed to address the breach.
7.	Cross-Border Data Transfer	Transfer of personal data to a country outside the jurisdiction shall be allowed only if the receiving country ensures an adequate level of data protection, or if appropriate safeguards are in place, such as binding corporate rules or standard contractual clauses.
8	Data Protection Authorities	As an independent regulatory authority, the Bill creates the Data Protection Authority (DPA). DPAs are in charge of implementing data protection regulations, monitoring compliance and looking into data breaches. They are essential in managing individual data privacy complaints as well as ensuring that businesses and organisations follow data protection regulations.
9	Cross-border Data Transfers	The provisions of the Bill on cross-border data transfers has an impact on multinational corporations. They must make sure that personal data is only transferred to nations that offer an adequate degree of data protection or that they put in place the necessary protections, including legally required company policies or pre-established contractual terms.

 

Pros of The Digital Personal Data Protection Bill, 2022

1. Enhanced Data Privacy: The Bill strongly emphasises the protection of people’s right to privacy. In order to give people more control over their information, it specifies precise rules and standards for gathering, handling, and storing of personal data. Individuals are given more control and their online privacy is better protected. While giving consent over personal data, the Bill provides for the data fiduciary to provide a consent form which is in simple language for the understanding of the user. Legal scholars say the Bill aligns with the objectives of the Digital India initiative, which seeks to convert the country into a digitally empowered society and knowledge-based economy.⁸
2. Rights of the individuals under the Bill to ensure data protection: While much has been narrated about creating a liability on the government and the private companies for protection of personal data, there are rights of the individuals which have also been very strongly put forth in this Bill-
   • Individuals have to be informed about the processing or prior processing of their personal data by an organisation, as well as the manner in which such data is being handled.
   • Individuals may also endeavour to obtain information regarding third-party entities with whom their personal data and specific categories of data have been shared.
   • Individuals have the option to revoke their consent if they do not desire their data to be processed.
   • Individuals are entitled to rectify or delete their personal data.
   • Individuals are also entitled to approach an office or authority designated by a company in order to formally register and address any grievances they may have regarding the handling of their personal data.⁹
3. Data Security and Breach Prevention: The Bill encourages data security by requiring suitable organisational and technical safeguards to protect personal data. It promotes the use of strong

8

Priya Kumari Shukla, “The 360° UPSC Debate : Will Digital Personal Data Protection Bill violate privacy of citizens?”, The Indian Express, July 2023. Available at: https://indianexpress.com/article/upsc-current-affairs/the-360-upsc-debate-will-digital-personal-data-protection-billviolate-privacy-of-citizens-8848789/.

9

Ibid.

security standards by data controllers and processors, which is expected to lower the possibility of data breaches and unauthorised access. By imposing heavy penalties on the companies involved in data breaches, there is a liability created on the companies to ensure compliance with the provisions of protection of personal data. One of the biggest criticisms of the previous Bill, 2019 was its non-compliance and weak implementable nature, however, those weak provisions have been rectified and a better mechanism for ensuring liability of the companies has been provided for.

4. Regulatory Framework and Accountability: Through the Data Protection Authority (DPA), the Bill creates a regulatory framework. The DPA will act as an impartial agency in charge of enforcing data protection rules, checking compliance, and looking into data breaches. This regulatory oversight improves corporate accountability and makes sure that data protection practices comply with the law.
5. Global Alignment and Data Transfers: The Bill intends to harmonise India’s data protection laws with global best practices. This makes cross-border data transfers easier and makes it possible for companies to follow international data protection regulations. Harmonisation with international standards is expected to encourage smooth data flow for international partnerships and will help India establish itself as a reliable location for data processing. Rather than having a ‘blacklisting’ approach, this Bill focuses on a ‘whitelisting’ approach that is to say that rather than banning countries for cross-border data transfers, India will recognize countries and allow cross-border data transfers with them.^[1] A liberal approach to crossborder data transfer will attract foreign investment, support the startup ecosystem and reduce compliance burden on organisations.^[2]
6. Trust and Reputation: The Bill’s stringent data privacy rules will help firms gain the public’s trust and improve their reputations. Businesses can build closer connections with their consumers and stakeholders by showcasing a commitment to protecting personal data. As a result, there may be a rise in brand recognition, consumer loyalty, and market competition.

 

Cons of The Digital Personal Data Protection Bill, 2022

 

1. Compliance Burden and Data Localization: The Bill imposes significant compliance obligations on businesses, particularly small and medium-sized enterprises (SMEs). Compliance may require substantial investments in technology, infrastructure, and staff training, which

 

could pose financial challenges, particularly for startups and small businesses. The provision on data localization, requiring certain categories of data to be stored and processed within India, may disrupt established data flows for multinational companies operating in the country. Compliance with this requirement may increase costs and hinder the efficient management and transfer of data across global operations.

2. Ambiguity and Interpretation: Certain terminology and sections in the Bill, such as “reasonable purposes” and “sensitive personal data” are not defined clearly, allowing opportunity for interpretation. Ambiguity can create legal issues and compliance difficulties, necessitating more explanation and direction from regulatory authorities.
3. Cross-border Data Transfers: The provisions for cross-border data transfers could make things more difficult for companies with global operations. Legal ambiguity and impediments to international data flows could result from compliance with various data protection standards in several nations. These worries might be lessened by harmonisation and conformity with international data protection frameworks.
4. Exemptions for the Central Government and its agencies: The criticised provisions of the previous Bill about granting exemptions to the Central Government and its agencies for data processing have been retained in this Bill. The Central Government can be exempted from following the provisions of this Bill in case of “public interest” that is, on account of national security, relations with foreign governments, and maintenance of public order among other things. The administrative control in appointing members of the Data Protection Board, which is an adjudicatory body that will deal with privacy-related grievances and disputes between two parties, is with the Central Government. There is also concern that the law could dilute the Right to Information (RTI) Act, as personal data of government functionaries is likely to be protected under it, making it difficult to be shared with an RTI applicant.^[3]

Through stakeholder      discussions,     additional        consideration, and    recurring          legislative assessments, it is critical to resolve these challenges. Establishing a strong and balanced data protection framework requires balancing privacy protection with innovation, reducing compliance costs, giving clear definitions, and ensuring efficient enforcement methods.

 

DISCLAIMER: The opinions expressed herein are entirely those of the author(s). Swaniti makes every effort to use reliable and comprehensive information, but Swaniti does not represent that the contents of the report are accurate or complete. Swaniti is a non-profit, non-partisan group. This document has been prepared without regard to the objectives or opinions of those who may receive it.

 

[NOTE: This Background Note is prepared on the basis of information and materials available in media sources or public domain only. The Bill of 2023 is yet to be introduced in the Parliament, hence, the note will be updated as and when a text of Bill is available]

[1] Soumyarendra Barik, “Data Protection Bill approved by Cabinet: Content, concerns”, The Indian Express, July 2023. Available at:

https://indianexpress.com/article/explained/explained-economics/data-protection-bill-approved-by-cabinet-content-concerns-8780035/.  

[2] Vikas Bansal, “Digital Personal Data Protection Bill: What businesses need to know”, The Economic Times, July 2023. Available at:

https://cio.economictimes.indiatimes.com/news/government-policy/digital-personal-data-protection-bill-what-businesses-need-toknow/101828422. 

[3] Soumyarendra Barik, “Data Protection Bill approved by Cabinet: Content, concerns”, The Indian Express, July 2023. Available at: https://indianexpress.com/article/explained/explained-economics/data-protection-bill-approved-by-cabinet-content-concerns-8780035/.