Neil Banerjee
India’s quest to become a digital superpower is well underway, with innovations like the JAM trinity, UPI, and DigiLocker driving the nation towards a $1 trillion digital economy. As the digital landscape flourishes, the need to protect personal data and privacy becomes paramount. In this pursuit, the Digital Personal Data Protection Bill, 2023 (DPDPB) emerges as a crucial step towards safeguarding user information in the digital age. With its introduction in Parliament, India Inc. finds itself at the forefront of data protection and privacy regulations.
Understanding Digital Personal Data Protection Bill – Balancing Privacy and Business Interests
The primary objective of the DPDPB is to strike a delicate balance between safeguarding individual privacy rights and facilitating lawful data processing for legitimate purposes. The bill lays down a robust framework for data protection, emphasising ethical data collection, secure storage, and proper disposal practices. By empowering individuals with greater control over their data, the DPDPB aims to enhance transparency and accountability among organisations handling personal information.
“The DPDPB represents a significant step forward in updating data protection laws in India. While its main goal of ensuring privacy is commendable, its effects on technology companies and the IT industry are complex. Striking a balance between protecting personal information and encouraging new technologies is extremely important,” said Jitender Ahlawat, Founder and Managing Partner HJA and Associates.
Key Provisions of the DPDPB – Protecting Privacy with Responsibility
The DPDPB introduces several key provisions for organisations and individuals alike to ensure compliance with data protection laws.
“The PDP Bill 2023 sets out provisions of key significance, including the removal of differentiation between personal and sensitive data, introduction of deemed consent, and stringent financial penalties for non-compliance,” pointed out Ahlawat.
“The bill lays down a strong foundation for protecting privacy and confidentiality in the digital format. It provides a complete framework for collecting, storing, processing, sharing, transferring, and disposing of personal and sensitive data,” said Sandeep Bomble, Founder and Director at Palasa Creative Place.
Some salient provisions include:
Deemed Consent: The bill introduces the concept of deemed consent, wherein data principals are deemed to have provided consent in certain scenarios, alleviating the need for explicit consent in every instance.
Child Data Protection: The DPDPB places special emphasis on protecting children’s data, requiring verifiable parental consent and prohibiting tracking and targeted advertising aimed at children.
Significant Data Fiduciary: The bill introduces the concept of Significant Data Fiduciaries, imposing additional responsibilities on large data-based companies.
Data Protection Impact Assessment: Significant Data Fiduciaries must conduct assessments to identify and manage risks associated with data processing.
Challenges and Criticisms – Striking a Delicate Balance
As with any significant legislation, the DPDPB has faced its fair share of challenges and criticisms from stakeholders.
“The DPDPB has given the government significant powers, and there is no sufficient legislative guidance provided regarding these. Critics raise concerns about potential infringement of individual privacy rights, misuse of personal information by government agencies, and the lack of clarity in certain provisions,” said Prasanth Sugathan, Legal Director, SFLC.in.
“The DPDPB has the potential to change how businesses operate, increase the costs associated with following regulations, and impact how data is handled. It is vital to ensure its effective implementation with proper compliance and regulations,” pointed out Sujit Patel, MD and CEO, SCS Tech.
The challenges include:
Complexity: Some stakeholders find certain provisions, especially for data fiduciaries, complex and difficult to implement.
Compliance Burden: Smaller organisations may face challenges in meeting the bill’s requirements, leading to increased compliance costs.
Data Localisation Concerns: Critics argue that data localisation requirements may hinder cross-border data flows and increase compliance costs for businesses operating internationally.
Data Protection in the Global Arena
To better understand the significance of the DPDPB, it is essential to compare it with other global data protection regulations.
“The DPDPB differs from General Data Protection Regulation (GDPR) and California Consumer Privacy Act (CCPA) in terms of scope, consent, and the concept of Significant Data Fiduciaries,” said Prateek N Kumar, Founder & CEO, NeoNiche.
“The DPDPB’s focus on deemed consent and child data protection sets it apart from other global data protection regulations,” pointed out Bomble.
Startups Under Scrutiny – Balancing Innovation and Compliance
Startups, often at the forefront of digital innovation, face specific challenges in complying with the DPDPB.
“The DPDPB will shake things up for startups, requiring increased security measures and explicit consent for data usage. Adaptation and compliance will be crucial for them,” said Rishi Agrawal, CEO and Co-Founder, TeamLease RegTech.
“Startups will need to innovate and adapt to comply with the DPDPB. Ensuring user data protection while facilitating personalised marketing strategies will be a challenge,” said Bomble.
“Safeguarding not only personal information but also the very infrastructure that holds it, ensures a landscape where trust, innovation, and progress can thrive unhindered,” pointed out Udit Mehrotra, MD and CEO, Spectra.
The DPDPB’s impact on startups includes:
Enhanced Security Measures: Startups will need to invest in encryption tools and cybersecurity experts to protect user data.
Explicit Consent: Obtaining explicit consent from users before using their personal information will be essential for startups.
Implementation and Enforceability – A Collective Responsibility
While the DPDPB paves the way for data protection, its effectiveness relies on robust implementation and enforcement.
“With the bill now passed, it is vital to ensure its effective implementation with proper compliance and regulations. This includes strong measures to enforce penalties for non-compliance,” said Dr. Sanjay Katkar, Joint Managing Director of Quick Heal Technologies Ltd.
“The DPDPB is intended to regulate all forms of personal data collected, processed and stored in the digital format and is also designed to apply to entities outside India. Industry members should continue to engage with the government regarding rule-making,” pointed out Aparna Gaur, Leader at Nishith Desai Associates.
The government, businesses, and individuals all share the responsibility of ensuring compliance with the DPDPB. Transparent implementation and robust enforcement mechanisms are vital to maintaining data privacy and security.
Charting a Compliant Future
As the DPDPB becomes a reality, India Inc. prepares to embrace a compliant future, where user privacy is respected, and technological advancements thrive. Startups innovate and adapt, businesses strategies for compliance, and the government ensures enforcement. Amidst the challenges and criticisms, India’s digital landscape is poised for growth while safeguarding the precious trust of its citizens. As the DPDPB ushers an era of responsible data protection for India, the nation takes a significant leap towards a digital age that balances privacy and progress in perfect harmony.
