Marking the beginning of what is to become the nation's first law governing the protection of personal data, the Indian Parliament gave the nod to the Digital Personal Data Protection Bill. The Bill, which was already passed by the Lok Sabha on Aug. 7, was approved by the Rajya Sabha on Aug. 9. The Bill will become law after it receives the consent of the President of India.

The DPDP Bill seeks to provide protection of digital personal data, establish standards for how businesses should process data digitally, confirm rights of individuals, set out a complaint resolution mechanism and establish a Data Protection Board of India that will oversee the implementation of the law in the country.

Communications and Information Technology Minister Ashwini Vaishnaw said that work on the rollout has already begun, and the government is likely to implement it over the next 6-10 months, after consulting with fiduciaries.

“This is changing the entire digital economy. So, we will take every step with proper checks, proper balance and proper verification. We must make it a robust mechanism," Vaishnaw said.

The Need For Digital Personal Data Protection Bill

Data—and particularly personal data—is the bloodstream of today’s organisations. In a widening digital landscape, personal data is continuously being collected by businesses. Whether it is accessing content, shopping online, submitting health records or banking/insurance details, individuals need to furnish various data during their online journey.

This data is later processed and apart from being used for specific purposes, it helps understand user preference, which then enables hyper-personalisation, targeted advertisements, and customised user experiences.

However, unchecked data harvesting and processing can harm people's privacy, which is considered a fundamental right of citizens. Data can be stolen, misused or lost, resulting in user profiling, loss of reputation and financial damages—for individuals and businesses alike.

“Data is and will remain the key component of this thriving digital economy. The DPDP Bill 2023 is a much-needed leap in the right direction as it establishes the rights and duties of ‘data principals’, the owners of data, and the obligations and liabilities of ‘data fiduciaries’, who collect, store and process the data," said Sivarama Krishnan, partner and leader, risk consulting, PwC India, and leader of APAC cyber security and privacy, PwC.

Disruptive technologies such as generative artificial intelligence—despite their obvious benefits—also come with a caveat pertaining to data privacy. According to a recent survey by Gartner, generative AI tools may possibly share user information with third parties, such as vendors or service providers, without prior notice, which has the potential to violate data privacy.

“We must remind ourselves that our native digital ecosystem is filled with businesses and apps offering digital services and products ranging from food delivery to financial services to ticket reservations. There is an enormous amount of data being generated on a daily basis, and it calls for a robust framework to safeguard this data,” said Rishi Agrawal, CEO and co-founder, TeamLease RegTech.

How The Bill Aims To Protect Personal Data

According to the Ministry of Electronics and Information Technology, the Bill provides for the processing of digital personal data in a manner that recognises both the rights of the individuals to protect their personal data and the need to process such personal data for lawful purposes and for matters connected therewith or incidental thereto.

The passing of the DPDP Bill marks “a pivotal moment in India's history, emphasising the newfound importance bestowed upon the fundamental right of privacy. India has confirmed that privacy is not something that we are entitled to, it is an absolute prerequisite,” said Kulbir Kaur, partner, EY Forensic and Integrity Services.

The Bill is applicable to processing of personal data within India if the data is collected online or collected offline and digitised. It shall also apply to data processing outside India if the same is used for offering goods or services in the country.

The DPDP Bill lays down various responsibilities and liabilities of data fiduciaries, entities that handle and process personal data, in accordance with the rights of individuals. Some of its key highlights include:

Data fiduciaries may process personal data only if an individual has given consent, and for legitimate purposes only.

Individuals from whom data is sought must be given a notice by the organisation at the time of consent, explaining the purpose of data processing along with information about data rights and complaint procedures.

If an individual chooses to withdraw consent, the organisation must cease to process the personal data within a reasonable time frame.

Data fiduciaries must protect personal data in their own possession or under the control of a data processor by taking security safeguards to prevent personal data breach.

In the event of a breach, the data fiduciary must intimate the Data Protection Board and affected parties, including individuals.

Organisations must establish an effective mechanism to redress the grievances of individuals, including appointing a data protection officer and sharing their contact details with users.

The government can identify organisations as significant data fiduciaries on the basis of sensitivity of data that they handle and risk of data breach to individuals and to the security of the state.

The Bill empowers the government to control personal data transfer to other countries or territories beyond India.

The Bill also entitles the Data Protection Board to inspect documents of data fiduciaries and propose blocking data access to entities that breach its provisions.

Penalties for numerous offences are outlined in the Bill, including up to (i) Rs 200 crore for failing to fulfil the provisions laid down related to children and (ii) Rs 250 crore for failing to take security precautions to avoid data breaches.

What The Bill Means For Businesses

The passing of the DPDP Bill has made critical the need for businesses to align their operations with its provisions in order to ensure compliance and avoid legal action or penalties.

“With these regulations, all corporations now need to assess their resultant obligations and create robust processes to deal with them. Businesses will have to quickly adapt to these requirements to stay on the right side of the law. This Bill is set to attach greater significance to data privacy and consumer rights that will now shape how businesses deal with personal data," said Agrawal.

Businesses must now look at improving the existing infrastructure to support data privacy for various stakeholders, including customers, vendors and employees, in accordance with the guidelines established for data processing, notice, consent requirements, and other provisions. They also need to show readiness to set up compliance frameworks and bodies since new laws and regulations are expected to be rolled out soon.

Alan Mamedi, CEO and co-founder of Truecaller, said that the Bill “provides a modern, straight-forward, and comprehensive privacy framework”. He added that Truecaller is “committed to our mission of making communication safe in India and around the world and will comply with all provisions of the upcoming regulations”.