A big warm and resounding hello from India!

The reason for my joie de vivre: the much-awaited draft of India’s Personal Data Protection Bill is finally here.

It is open for public comments until 17 Dec., after which the government may rework parts of it based on feedback. The IT Minister has indicated that the government expects to have the bill passed by August 2023. Needless to say, the whole world is watching to see how the personal data of 1.4 billion individuals will be protected and governed.

What are the highlights of the bill?

Firstly, the bill is called the Digital Personal Data Protection Bill, so the scope is restricted to data in digitized format only. However, scanned data is also considered digital data.

The bill is much shorter and simplified compared to previous drafts. Everything "extraneous" to personal data protection has been deleted. In many places it is "high level," with a provision for rules to be framed downstream.

All classifications of personal data, like sensitive and critical, were done away with. Though children’s data is under added focus, with specific clauses on what is required and what cannot be done when it comes to children. The issue of trans-border data flows has been simplified to simply say personal data can be transferred to countries notified by the government.

The quantum of penalties outlined in the bill took everyone by surprise. They are huge — several orders beyond what was proposed in all the earlier drafts. We are talking of upper limits in the range of Rs 5/2.5/1.5 billion (about $61/30.5/18 million). The earlier drafts talked of penalties around one hundredth of these amounts.

There are some exemptions for small entities and startups, to reduce the burden of compliance. However, the core principles of using data only for purposes the individual has consented to are not exempt.

The concept of "deemed consent" has been introduced and discussed in detail. Lawful bases like public interest, which come under a separate head in most PDP legislations, were brought under deemed consent, along with several other lawful bases.

There are four data subject rights outlined. Two of them — the right to grievance redressal and the right to nominate — are new. The other two are right to information, including the right to confirmation if an organization has a data subject’s personal data and the right to know which other controllers the individual’s data has been shared with, and the right to access and correction.

Interestingly, the bill talks of "duties" of a data subject. Essentially the data subject has a duty to ensure nothing false or fraudulent is shared with a controller. Penalties of up to 10,000 rupees are also proposed for any transgressions.

Certain organizations would be classified as significant data fiduciaries. These would essentially be controllers whose work could be considered high risk. While the bill specifies the parameters to define who would come under this category, the actual categories are not defined.

Needless to say, the bill has generated a host of concerns and criticisms. Many of its sections allow for rules to be framed later by the government on specifics. Experts opine this gives power to the government, at times outside of direct legislative guidance, which is risky.

The bill allows the government to exempt certain sections of the government and law enforcement agencies, which has raised concerns about enable the state to carry out surveillance.

Another criticism voiced has been on the proposed Data Protection Board and its independence from the government.

All in all, there is a lot of debate and discussion going on over the bill as various stakeholders prepare to send their feedback.

The coming months are going to be interesting indeed!

Meanwhile, here’s wishing you all a great holiday season ahead.