After years of debate and delays, Indian Parliament can now consider the proposed Digital Personal Data Protection Bill.
The 2023 version of the draft bill was introduced in the lower house of Parliament, the Lok Sabha, 3 Aug. following approval by the Union Cabinet of Ministers 5 July. According to ANI News, the Lok Sabha is expected to open its consideration of the DPDPB 7 Aug.
"We're living in a time where we are finding ourselves in a much more digital world than ever before," Indian Minister of State for Electronics and Information Technology Rajeev Chandrasekhar said following the introduction of the DPDPB to Lok Sabha. "There's this environment of big companies, small companies and technology companies essentially creating business models by misusing and exploiting digital personal data of citizens. That's something this bill intends to address."
Earlier this week, the parliamentary panel on IT, which introduced the bill to the Lok Sabha Thursday, recommended the DPDPB be expedited "without any undue delay," according to The Indian Express. Indian Parliament's monsoon session ends 11 Aug.
The bill, deemed an "absolutely brand new framework" by Chandrasekhar, covers all India-based organizations that process personal data as well as international entities processing data on Indian residents. Key provisions include a broad definition for personal data, data processing permitted by individual consent and "deemed consent," designations for approved cross-border data transfers, and the creation of the Data Protection Board of India.
The proposed Data Protection Board will have enforcement power over DPDPB noncompliance and data breaches. Notably, the proposed DPDPB gives legal immunity to members of the Data Protection Board and the central government for "anything which is done or intended to be done in good faith under the provisions of this Act or the rules made thereunder."
Data breaches will produce the steepest fines under the proposed penalty scheme. Companies that are unable to protect against breaches and fulfill required breach reporting obligations would see a fine between RS50-RS250 crore.
The Economic Times reports lawmakers may consider giving the Data Protection Board the power to force content removal from a site or platform and block user access from a platform.
The road to a new bill
It's the first time Parliament has introduced data privacy legislation since 2019, as Indian officials mulled four different frameworks dating back six years when the Supreme Court of India ruled on the fundamental right to privacy. The proposed DPDPB was subject to a November 2022 public consultation that generated more than 20,000 stakeholder comments lawmakers were left to consider before arriving at a final draft.
Chandrasekhar said the evolution of the bill "has been extremely interesting," while noting prior iterations of the DPDPB proved "too complex" and would have brought "a tremendous amount of compliance burdens for our young startups and young entrepreneurs." Comparing the DPDPB to past privacy proposals, he said the bill is "globally competitive, very contemporary, very simple and very easy to understand."
Exemptions aplenty
Much of the focus in the debate on the proposed DPDPB has centered on broad government power and its exemptions from provisions of the bill. The draft before Parliament has not addressed those concerns, according to The Internet Freedom Foundation.
In a statement regarding how "extremely disappointed" it is with various aspects of the bill, the IFF said a chief issue is "the further widening of exemptions granted to government instrumentalities that may facilitate increased state surveillance." The nongovernment organization also criticized "the absence of clear provisions on various important issues which have been left to future executive rulemaking."
Retired Indian Supreme Court Justice B.N. Srikrishna previously called out the carveouts as providing "too much margin to the government" and doing "little to protect individuals' fundamental right of data privacy."
The bill also contains exemptions involving children's personal data. The processing of children's data and obtaining parental consent for use could be exempted upon examination of whether a covered entity sufficiently proves it is "verifiably safe" under Data Protection Board and central government determined standards.