A dive into the new 'Digital Personal Data Protection Bill' in India

A dive into the new ‘Digital Personal Data Protection Bill’ in India. (Photo by SUJIT JAISWAL / AFP)

A dive into the new ‘Digital Personal Data Protection Bill’ in India

  • India unveiled a draft law on data – stating where it should reside, how it should be regulated, and how it should be paid for.

Last week, the government in India unveiled its latest attempt at data protection law – a piece of legislation that replaces a 2019 bill that proved so disputable it was shelved before being put to a vote. The draft of the Digital Personal Data Protection Bill, 2022 (DPDP Bill, 2022) — is now made open for public comments and the government is expected to introduce the Bill in Parliament in the budget session of 2023.

The latest draft is the fourth iteration of a data protection law in India. Beginning with the Personal Data Protection Bill, 2018, the government made revisions and re-introduced it as the Personal Data Protection Bill, 2019 (PDP Bill) in the Lok Sabha, the lower house of the Indian parliament. On the same day, the Lok Sabha passed a motion to refer the PDP Bill, 2019 to a joint committee of both the Houses of Parliament. 

Pandemic delays meant the Joint Committee on the PDP Bill, 2019 (JPC) took two years to submit its report on the Bill, in December 2021. The report was accompanied by a new draft bill, the Data Protection Bill, 2021, that incorporated the recommendations of the JPC. Unfortunately, in August 2022, citing the report of the JPC and the “extensive changes” that the JPC had made to the 2019 Bill, the government withdrew the PDP Bill.

What sets the latest data protection bill in India apart from its ‘predecessor’?

With 760 million active Internet users, privacy has remained a thorny issue in India. It was only after the Supreme Court ruled that privacy is a fundamental individual right, that Prime Minister Narendra Modi’s government came up with data protection legislation — and that also took two years, before another three years of debate. The 2019 version of the bill had sought to severely restrict transfer, processing and storage of data overseas. 

That version of the Bill was also not admired by Big Tech or digital rights organisations. Asia Internet Coalition – a trade org whose members include Apple, Facebook, Google, Amazon and Twitter – sent a letter to lawmakers last January calling the data localization requirements in the bill “onerous” and asserting cross-border transfer decisions should be free of political interference.

The PDP Bill, 2022, applies to all digitally processed personal data. This would include data collected online and personal data collected offline that’s digitized for processing. The draft of the bill states that consent is required before collecting personal data, and it proposes stiff penalties of as much as 5 billion rupees (US$61.2 million) on persons and companies that fail to prevent data breaches including accidentally disclosing, sharing, altering or destroying personal data. 

Companies are allowed to store the collected data for specified periods. The government will “notify such countries or territories outside India to which a data fiduciary may transfer personal data,” according to the draft Digital Personal Data Protection Bill unveiled on Friday for public feedback. In the previous version of the bill, the parliamentary panel recommended changes including treating social media platforms like Meta as publishers and setting up a watchdog to oversee them.

The new draft bill instead proposes setting up a Data Protection Board of India that will monitor and determine non-compliance and impose penalties. Companies like Amazon and Meta will also be required to appoint data protection officers who will represent them and who must be based in India.

As Bloomberg puts it, “the draft bill also requires companies such as the parent entities of Google and Facebook to be accountable to a “consent manager” to provide an “accessible, transparent and interoperable platform” to give, manage, review and withdraw consent. Personal data of children cannot be obtained or processed without parental consent.”

Overall, the latest bill is more lenient than previous bans on cross-border data flows and data sovereignty requirements. The change of tone is said to ensure Indian businesses can fully participate in the global digital economy for the benefit of locals. The DPD Bill however does not specify an implementation period, and simply states that its provisions will come into effect on the date(s) appointed by the government.