On November 18, 2022, the Government of India (GoI) released the much-awaited “The Digital Personal Data Protection Bill 2022” (DPDP Bill).
It may be recalled that, following much public criticism & searching scrutiny from a spectrum of relevant stakeholders, GoI was forced to withdraw the previous version/iteration, “The Personal Data Protection Bill 2021” on Aug 3, 2022. The 2021 version itself arose from the original 2019 version which had been introduced in the Indian Parliament on December 11, 2019. On its introduction, it was immediately referred to a Joint Committee of both Houses of Parliament (JCP) for examination. The JCP submitted 81 recommendations for changes and a comprehensive report along with the 2021 Bill. Both, the original 2019 version and the 2021 Bill, had been preceded by extensive stakeholder consultations.
In line with the predictions in K&S Partners’ regulatory update of August 2022, the new draft DPDP Bill has:
- come about within a few months of the older 2021 version being withdrawn;
- taken a practical view of cross-border data flows;
- proposed changes by way of amendments/deletions to certain connected laws like the Information Technology Act, the Right to Information Act, etc., to harmonize these with the DPDP Bill;
- done away with the earlier distinctions between personal data & sensitive/critical personal data and has chosen the generic category of 'personal data’;
- carried forward the separate category of children below the legal age of 18 years for parental/guardian control of their access & sharing of personal information with data fiduciaries;
- carved out a separate category of significant data fiduciaries to keep the compliance burden proportionate to the quantum and quality of personal data being handled by an organization, and, as expected
- the GoI has not diluted some core elements like protecting & exempting government organizations/state instrumentalities/enforcement agencies from strict accountability or obligations arising from the DPDP Bill.
Comparison of the new DPDP Bill with the older versions
While the core building blocks of a data protection law have to necessarily remain the same, the new draft is certainly not a rehash of the old. It differs considerably in form, substance, and approach. For starters, the DPDP Bill is succinct, just 24 pages in all including annexures, in contrast to the 50+ pages of the old version.
The new version has also steered clear of being too prescriptive and has left most of the heavy lifting to the GoI. Government organizations and members of the Data Protection Board (DPB) have been given legal protections/exemptions. The DPDP Bill has deftly avoided many contentious areas like non-personal data, dealing with data in the physical form, dealing with day-to-day situations where personal data is exchanged for transient purposes, etc. The scope is focused and is restricted to the automated processing of digital personal data.
Another substantial change is doing away with penalties like arrest and imprisonment; instead, opting for financial penalties only.
Shortcomings in the DPDP Bill
The DPDP Bill seeks to protect the privacy rights of citizens. The biggest holder of personal data is the government. If the government & its instrumentalists are exempt, then the DPDP Bill would only protect digital privacy rights against invasions by the private sector. Secondly, too much has been left to delegated legislation, which will make the implementation tortuous. No timelines have been given for implementation, which means it could be years before all aspects of the DPDP Bill are properly implemented.
The DPB has been designed as an implementation and adjudicatory organization, not as an autonomous organization championing the Right to Privacy.
The DPDP Bill has been placed in the public domain for consultations. This consultation process is not likely to take long since all the key elements have already been discussed threadbare over the past three years. It is expected that the Bill will become law by February 2023.
Guidance for firms
Now that the broad contours of the new regulation are clear, organizations should begin planning their next steps following the new regulations & assessing their impact on existing operations by mapping both their data estate as well as data operations. Systems and processes need to be created around the entire data lifecycle (creation—preservation—destruction). Organizations, particularly those that will become significant data fiduciaries must invest in privacy awareness across the organizations and especially to the top management.