The Indian parliament passed the much-awaited DPDP bill on August 10th, 2023. This has come six years after the Supreme court of India declared the right to privacy as a fundamental right. Ministry of Electronics and Information Technology (MeiTY) had introduced the first draft of the bill in 2022. However, it later withdrew it for further consultation when industry expressed concerns on some provisions. This significant piece of legislature is now just a procedural step away from becoming the law.
This bill is very similar to other data protection laws (mainly GDPR, ADPPA) across the globe. Especially in defining personal data, taking consent of the data principle for data processing, and defining the obligations of the data fiduciary. However, this bill differs in a few areas such as:
- It allows cross border flow of data to all geographies except for the ones backlisted by the government. Other similar laws such as GDPR, on the other hand, use a whitelisting approach. It is understandable, considering whitelisting can be a cumbersome process for the process outsourcing services industry in India.
- It is applicable only for “digital” personal data or data digitized post offline collection.
- It also does not categorize Personal data in detail unlike GDPR and ADPPA leaving it a bit vague.
- It does not have a “right to be forgotten” provision unlike GDPR.
State is mostly exempt from its provisions
Central government and its agencies are exempt from DPDP in the interest of national security and law and order. It exmpts the state agencies from deleting the personal data after use, overrides the consent of an individual where the state processes personal data for provision of benefits, services, license permits or certificates. Further, it removes purpose limitation as far as the state is concerned. This is like the UK Data Protection law of 2018. However, UK’s law regulates bulk processing of personal datasets and has more safeguards against misuse by the state. DPDP also does not have provisions for the regulation of harm arising from processing of personal data. Harm may include financial losses, loss of access to any special benefits, identity theft, loss of reputation, discrimination and more. It also does not provide the right to portability.
More clarity on process will be helpful
It needs clarity on identification process for the source of data leakage or a breach, and how to define accountability. Similarly, the law requires data fiduciaries to take reasonable measures to protect the data and take consent before data sharing. However it will be helpful to have a clarity around an implementation mechanism. It also does not define the redressal mechanism available with the data principle in case of a data breach. It skips procedural questions such as: Should the affected individuals complain to a central authority, if they feel their data has fallen into wrong hands? Should they file a police complaint? Who is the accused in this case? As the data principle may not be aware of the source of the leakage source.
Impact on industry
Good news for the industry is that the policymakers have tempered some of draconian clauses which existed in the earlier draft. Especially on reporting of breaches within 72 hours to the authorities, as was recommended by the Joint Parliamentary Committee. These clauses had righfully made the industry apprehensive.
Industry leaders must note that:
- They will need to be more cautious about sharing of personal data . For example: A bank/ ecommerce company/ food delivery app sharing customers details with a travel app/ insurance provider/ healthcare app. These can lead to legal challenges for the primary data fiduciary.
- DPDP may need some clarity on the definition of reasonable data protection in case a breach. But it still expects reasonable data security and protection methods to safeguard for compliance with the law.
- Industry will need to do more work around audit and implementation of the law. They must ensure the deletion of related personal data from all the records once a data principle withdraws his/her consent .
- Industry must watch out for the backlisted regions/ areas/ countries where they cannot transfer the personal data to.
- Industries like edutech, healthcare, sports and more must be careful with the data on minors and specially-abled people. This is good as it will ensure the safety of the most vulnerable sections of society.
- It needs clarity on the use of AI on personal data to provide better services to customers and/or employees. This can become complicated in some cases such as service centers outsourcing. There the entities managing the data or building and training the AI models, and the data fiduciary may be different.
Talk to us
As we study the bill further and understand its implications under enforcement, we will continue to update this space. Please contact us to know more about the Digital Personal Data Protection Bill 2023, or similar laws across the globe.
