Digital Data Protection Bill 2023 Passed, Industry Praises Move

Digital Data Protection Bill 2023 was passed in the Rajya Sabha on 9 August with a voice vote. The proposed legislation entails the handling of digital personal information in a way that respects both individuals' rights to safeguard their personal data and the necessity to process this data legally, along with related and consequential considerations.

Important Details of the Digital Data Protection Bill

The Bill protects digital personal data (that is, the data by which a person may be identified) by providing for the following:

• The obligations of Data Fiduciaries (that is, persons, companies and government entities who process data) for data processing (that is, collection, storage or any other operation on personal data).
• The rights and duties of Data Principals (that is, the person to whom the data relates).
• Financial penalties for breach of rights, duties and obligations.

Industry Reactions to the Digital Data Protection Bill

Shreya Suri, Partner, INDUSLAW, said: “There has been quick progression on the Bill, which now stands passed by both the houses within a week of being introduced. This only indicates the government’s keenness to bring in a legislation which will take India a step closer to global standards. Given the rapid developments in relation to passing of this Bill, it can be expected for it to be enacted and implemented as law sooner than originally anticipated. The data fiduciaries can consider proactively looking at the transition implementation. Of course, some of the provisions of the Bill are yet to be clarified, leaving some material aspects open for interpretation by data fiduciaries, such as implementation of reasonable security practices or what may be construed as ‘verifiable’. However, given the heavy penalties attached to breach, the data fiduciaries must proceed with due care and err on the side of caution. Overall, this Bill is a positive and a much-needed step for India and will also help position India as a viable jurisdiction for data adequacy arrangements with other progressive nations.”

In the same vein, Vihang Virkar, Partner, Lumiere Law Partners, said : “It is time that India established a robust legal mechanism to protect personal data of its citizens, in line with global standards. The current legal framework in India dealing with protection of personal data is formed of an assortment of legal provisions which can be found in various separate legislation. While India is moving rapidly to become a dominant player in the global digital economy, it is important that the existing collage of data protection laws in India be unified into a single statute. The current form of the Digital Personal Data Protection Bill, which was recently passed in the Lok Sabha, is certainly a step in the right direction as it seeks to create a framework of rights for citizens vis-à-vis their digitised personal data, and also imposes obligations and restrictions on the usage of collected digitised personal data.”

Virar went on to add: “The bill, when notified, will bring about some important systemic changes – such as setting up of a Data Protection Board to regulate the regime of digital personal data protection, exemptions being granted to the government in the handling of personal data in certain situations, identification of certain entities/ persons as significant data fiduciaries and casting additional obligations on them, imposing significantly higher penalties for breach, etc. I am hoping to see the bill being passed to become law soon.”

Sivarama Krishnan, Partner & Leader, Risk Consulting, PwC India & Leader of APAC Cyber Security & Privacy, PwC said that the Bill touches the lives of more Indian citizens and businesses than any other law in recent times. “India is fast emerging as a leader in the global digital economy, thanks to a range of factors, including the digital initiatives of the Government and the increased digital adoption among consumers. Data is and will remain the key component of this thriving digital economy. The DPDP Bill 2023 is a much-needed leap in the right direction as it establishes the rights and duties of ‘Data Principals’, the owners of data, and the obligations and liabilities of ‘Data Fiduciaries’, who collect, store, and process the data. The Bill places reasonable obligations on data fiduciaries, ensuring responsible handling of digital personal data. Introduction of consent managers, additional obligations on Significant Data Fiduciary and verifiable parental / guardian consent for are welcome inclusions to bill. Even as the finer details of the Bill will be clearer in days to come, it's highly recommended that enterprises start their journey towards privacy maturity now,” he said.

Ivana Bartoletti, Global Chief Privacy Officer, Wipro Limited in response to India's Digital Personal Data Protection Bill 2023, said: “With the advent of Artificial Intelligence and the need for safeguarding privacy, India’s Digital Personal Data Protection bill aspires to set and evolve the framework for businesses to adopt best practices, strengthen data governance and drive responsible data handling. Embracing a ‘Privacy by Design’ approach integrates privacy measures from the inception of the technology or system development, rather than treating it as an afterthought. It fosters a sense of trust amongst stakeholders and can even accelerate growth opportunities.”