DPDP Bill will set a new global standard for data protection regimes
The introduction of the Digital Personal Data Protection Bill, 2023 (DPDP Bill) by the government is welcome.
By Data Privacy Team, Shardul Amarchand Mangaldas & Co.
The introduction of the DPDP Bill in the Lok Sabha this Monsoon Session marks an important milestone in India's journey towards a comprehensive data governance framework.
This DPDP Bill will set a new global standard for data protection regimes, the development of which reflects multi-stakeholder consultation. The DPDP Bill will likely have far-reaching implications, given its sector-neutral applicability. With an increasing number of businesses adopting technology and relying on processing of personal data as a core part of their business, the DPDP Bill is likely to have an impact on businesses of all sizes.
The DPDP Bill has attempted to resolve contentious issues while striking a ‘balance between rights, commerce and innovation'. The DPDP Bill will play a critical role for India in achieving its goal of building a three-trillion-dollar digital economy. For instance, MEITY's stance on enabling cross border data-transfers accounts to enable access to global digital services and technological innovation. In addition, MEITY has attempted to make the DPDP Bill more business-friendly by excluding any criminal penalties for non-compliance under the DPDP Bill. Instead, the DPDP Bill only imposes monetary liabilities for any contraventions, in line with India's moves towards de-criminalisation of economic offences. The DPDP Bill also allows entities to provide voluntary undertakings to the Data Protection Board for undertaking specific actions. This too is a positive step in accordance with prevailing global best practices.
On the other hand, it is also encouraging to see MEITY introducing certain international standards of data governance in the DPDP Bill. The DPDP Bill provides a comprehensive list of rights guaranteed to data principals (including the right to correction, erasure of personal data, and grievance redressal) as well as ensures that data fiduciaries comply with certain basic obligations (such as obtaining consent, effecting data principals' rights, protecting personal data under its control and being responsible for complying with the provisions of the DPDP Bill). Introducing such measures is likely to create a more transparent and accountable data governance framework going forward.
That said, several key issues under the DPDP Bill such as the manner in which notice is to be provided to data principals, standards determining verifiable consent of a parent/guardian, conditions for erasure, and time periods for retention, of personal data by data fiduciaries, etc., have been delegated to subordinate legislation. We hope that MEITY will continue conducting multi-stakeholder consultations on future rulemaking and we look forward to supporting it in its regulatory endeavours. We also look forward to seeing the manner in which the TDSAT, which has been designated as the appellate authority under the DPDP Bill, undertakes its functions.
While the DPDP Bill does not have any provisions for transitioning to the requirements of the new law, it allows MEITY to notify specific provisions separately, and thus implement the law in a phased manner.