The Digital Personal Data Protection Bill 2023, introduced in the Lok Sabha on Thursday, has abolished data localisation mandates and criminal penalties for data breaches while incorporating voluntary undertakings, as requested by industry stakeholders. Nevertheless, experts have raised concerns over increased governmental control and exceptions.
The government obtained 21,666 suggestions from industry stakeholders and legal experts during public consultations following the release of the draft Bill in November of the previous year. It has revised numerous provisions based on these suggestions. For instance, the Bill now allows cross-border data transfers to all countries, excluding those blacklisted by the government. The previous proposal had been to compile a list of countries where data transfers would be permissible.
The global industry body ITI Council, representing several major tech firms, has applauded the Bill.
“India’s completion of comprehensive privacy legislation marks a significant step in the government’s efforts to develop a digital regulatory framework. We support the introduction of a clear, flexible approach to international data flows and anticipate contributing to a robust, multistakeholder rulemaking process to address outstanding issues,” said Kumar Deep, ITI’s Country Director for India.
He added that “further work is required to ensure the framework provides clear legal grounds for businesses to process data where consent is not possible or technically feasible, such as for fraud prevention, ensuring robust network security, and other critical business activities.”
Significantly, the specifics of legal requirements for platforms will only be clarified once the government establishes the rules following the Bill’s enactment.
Manish Sehgal, Partner at Deloitte India, commented on the Digital Personal Data Protection Bill, stating that businesses operating in India should scrutinise current practices, especially concerning personal data of individuals such as employees, customers, merchants, and vendors.
“As more guidance will be released in the coming days or months, we highly recommend that enterprises begin their readiness journey immediately with the fundamental step of data hygiene i.e., understanding where data resides within the enterprise, who accesses it, who processes it, and how data flows from one function to another,” said Sehgal.
While the Bill mandates strict consent requirements and purpose definitions for data collection by any platform, the government has retained the power to exempt its instrumentalities under various circumstances.
Pawan Duggal, a cyber law expert, opined that the exemption provisions in the Bill might generate inherent tensions in the data economy.
“The Bill is unprecedented as it provides penalties of up to Rs 250 crore, probably the highest penalty any Indian law has seen till now. The idea is to create a deterrent. However, this is likely to create two different ecosystems – one for the corporate ecosystem that will be required to comply and the other for exempt entities who will not need to comply,” Duggal said.
Digital rights advocacy group Internet Freedom Foundation has expressed numerous concerns about the Bill, citing major provisions left for later rule-framing, expanded exemptions for government instrumentalities, and executive control over the Data Protection Board.
“In its current form, the DPDPB 2023 does not adequately safeguard the Right to Privacy and should not be enacted. A meaningful discussion and debate on the draft Bill in Parliament, including a referral to an appropriate committee which may seek further public input in its deliberations to re-architect the Bill, is necessary to ensure it protects citizens’ privacy from both private entities and state instrumentalities,” stated the Internet Freedom Foundation.