Digital Personal Data Protection Bill, India – 4th time lucky?

The latest draft of the Digital Personal Data Protection Bill in India has been released by the Ministry of Electronics & Information Technology (MeitY) on 18 November 2022. This draft is open for feedback till 17 December 2022.

The discourse around data protection in India, particularly relating to personal data is not new. This was first introduced as an amendment to the Information Technology Act, 2000 with the introduction of Section 43A in 2008. This amendment put an obligation on bodies corporate dealing with sensitive personal data and information that they processed, dealt with, or handled using its computer resources, to protect the same. This amendment also introduced a penalty for non-compliance. This was followed a couple of years later with the introduction of the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules 2011. These rules specified minimum standards for protecting sensitive personal data, required companies to have a privacy policy and to have a basic consent architecture in which consent of the data principal (whose data is being collected/ processed) is obtained and the data principal is kept informed as to who the recipients of the data are.

In the subsequent years other rules/ regulations were introduced in different sectors (e.g., in financial services) by the respective regulators. However, in 2017, in a supreme court judgement (Puttuswamy Judgement), “privacy” was recognized as intrinsic to the right to life and liberty of the individual, guaranteed by Article 21 of the Constitution of India. This effectively meant ‘right to privacy’ is a fundamental right. This led to the setup of the Srikrishna Committee (under former Supreme Court Justice B.N. Srikrishna). This committee presented the Draft Personal Data Protection Bill in 2018.

This draft was amended after getting industry and stakeholder feedback and MeitY introduced the revised draft into the Rajya Sabha (the Upper House of Parliament) in December 2019. This draft bill introduced a comprehensive framework for personal data protection with specific compliance requirements, with specific consent requirements and explicit rights given to data principals. There was also a proposal for a central data protection authority as well as significant penalties for violation of the law. It also spoke about the need for sectoral regulators to continue to be the competent authority for the respective sector. There was also a clear requirement for localizing data storage onshore for certain sensitive/ critical personal data.

As expected, there was quite a furor around the implementation challenges surrounding the draft bill. This resulted in the bill being sent to the Joint Parliamentary Committee (JPC) for review.

Meanwhile MeitY set up a committee to study the requirements around governance of non-personal data. This report was published in December 2020.

After almost two years of consultation and review, the JPC submitted a revised draft in November 2021 renamed as the Data Protection Bill 2021. A key change was the extension of coverage to non-personal data. There were also stringent reporting requirements on breaches. The DPB also required hardware manufacturers to have a certification mechanism for IoT and other digital devices. This new version once again attracted a lot of comment from stakeholders around the perception that the Bill allowed for the State to have several exceptions when it came its need to obtain and process personal data as well as the potentially unwieldy requirements for hardware/ device certification especially given the proliferation of IoT devices in use today.

In August 2022, the Government withdrew the DPB 2021 from parliament stating that a comprehensive legal framework was needed to ensure adequate safeguards for individuals’ data as well as ensuring that innovation in the country would not be hobbled.

The fourth iteration is the Digital Personal Data Protection Bill, 2022 (DPDP) published in November 2022. Key changes including the dropping of four clauses from the earlier version namely:

-?????????Regulation of hardware and devices

-?????????Localisation of data with retrospective effect

-?????????Need for regulatory approval for each instance of cross-border flow of data

-?????????Penalty computed on the global turnover of the corporate

The latest version

-?????????allows for transfer of data to jurisdictions identified by the government

-?????????requires individuals to be notified about details of their data collected and purpose for which it will be used

-?????????gives individuals the right to withdraw consent (requiring any data collected to be erased, subject to regulatory retention requirements)

-?????????also envisages the set up a Data Protection Board to manage the compliance framework and be the adjudicating authority for any complaints, violations etc.

-?????????provides for penalties of up to INR 5 Billion (approx. USD 62 Mio) to be applied for non-compliance

-?????????interestingly has a provision to penalise individuals INR 10,000 (approx. USD 125) for furnishing wrong information or registering false grievances.

The draft bill is still open for feedback on MeitY’s website. There are several commentaries in the public domain that have been vocal about perceived shortcomings in this latest draft. It remains to be seen as to what the final version will look like after incorporating some of the feedback before the bill is navigated through parliament.

That said, there is no doubt that there is a crying need to have a comprehensive framework for data protection in the country. More given that India is projected to have one of the biggest digital data footprints in the world. It is also among the top ten global economies in size and projected to be in the top 3 in the next decade or so. India is currently holding the G20 Chair and is also in the process of cementing several free trade agreements (FTA) globally and regionally. Add to this the ever-looming cyber threat that continues to plague institutions globally and it’s clear that missing this window can create a drag on the ambitious growth plans of the country and its commercial institutions. While there are arguments about wanting to have a privacy bill with little or no distortions, it's hard to expect that this will happen in the imperfect world we live in. Besides, the grotesqueness of these distortions (and the propensity for abuse) will only be known with time. And like in the case of previous green field legislations, the smoothening of these distortions will take time and enable practitioners to harness the learning that comes with experience.

________________________________________________________________________

I hope that you enjoyed The Lateral View!

Look forward to connecting with you!

Every fortnight, I'll share my perspective on topics relating to technology, banking, insurance, capital markets, financial services, leadership etc. To make sure you don't miss an issue, if you haven't subscribed yet, just click the "Subscribe" button in the upper right corner above.

-Shrinath

Shrinath Bolloju is the Chief Strategy Officer of KGISL Shrinath has spent over 30 years in the banking and securities services industry and has worked in technology, operations and run a business, in various geographies across Asia, Europe and the Americas.