Digital Personal Data Protection Bill 2023: The Need of the Hour

Imagine you decide to cook pasta and go to the grocery store to pick the same. You received the invoice over WhatsApp and made the payment via Gpay. When you reach home, you receive messages over the phone that pasta sauce, cheese, olives, etc., are available at discounted costs. And when you open your laptop, various sites suggest things needed for pasta. This is just one order, and we are facing this increasingly. 

Data privacy and security issues have emerged in the past decade since the large-scale adoption of digital transformation. With the increasing amount of data being extracted and exchanged for data thefts and leaks, the need for protection has never been greater. According to a recent report by IBM Security, the highest average cost of data breaches surged to $4.45 million in 2023, indicating a 15% increase in a span of three years. These alarming figures clearly point toward the threats to digital privacy – whether it is personal data or data breaches. 

Solution – In the Making

Fortunately, the government has taken positive steps to safeguard digital personal data. On Wednesday, August 9^th, 2023, the highly anticipated Digital Personal Data Protection Bill 2023 was passed by the Rajya Sabha, six years after the Supreme Court declared the "right to privacy" as a fundamental right of every citizen. It directed the center to introduce a data protection regime. This will become the country's first data protection act – at the brink of becoming a law once it gains approval from the President of India. 

The initial steps were initiated in 2018 by establishing a Personal Data Protection (PDP) Bill, following which it was proposed to a joint parliamentary committee. After two years of analysis, the bill's report was presented and modified in December 2021. In 2022, however, the center withdrew the PDP Bill – quoting compliance issues – and introduced the Digital Personal Data Protection Bill in a few months. Soon after, the cabinet approved the bill tabled in Rajya Sabha. 

The bill, which has been brought after analyzing 24,000 comments, conducting dozens of inter-ministerial meetings, and taking feedback from 48+ organizations, aims to protect the privacy of Indian citizens; and any entity found to be failing to protect the digital personal data of individuals will be penalized with a hefty of up to Rs. 250 crores. The bill also bars children's data exchange without parental consent. It commands data fiduciaries to erase information upon understanding its lack of use for original business objectives.      

Critical Gaps

Despite being fairly essential in the current scenario, the Digital Personal Data Protection Bill will most likely pose certain challenges for companies complying with it. Given that the bill mandates businesses to adhere to data protection standards, they will be needed to employ changes to existing functions by investing in data protection infrastructure, causing additional financial burdens. While larger entities may be equipped with compliance measures, startups, and medium-scale businesses may struggle to meet these needs due to tight budgets. 

Impact on Individual Users

When enacted, the Digital Personal Data Protection Bill will bring a regulatory system to manage data breach cases. However, the law will only cater to digital data and not physical data. For instance, an individual uses paper and refrains from making the information digital; they would not have to follow these guidelines, irrespective of how much data they hold. From a broader perspective, the bill is a step in the right direction for individuals to gain authority over their personal data and have the right "to be forgotten."   

In fact, users will witness significant changes, like concise privacy notices, data misuse alerts, and access to see and fix data. The changes will appear in the following ways:

• For instance, let's consider a fashion e-commerce brand seeking permission to offer personalized product suggestions based on a user's browsing history and purchasing habits. Brands must obtain explicit consent before utilizing customer information for personalized marketing endeavors. Incorporating pop-up notifications or consent forms within websites and applications is imperative to adhere to regulations and provide customized experiences to clientele. 
• Furthermore, brands must utilize customer data exclusively for their designated purposes and uphold its precision. Demonstrating a commitment to erasing customer data after its initial use fosters confidence and ensures conformity with privacy protocols. For example, an application collects customer data to facilitate delivery services, restricting its use solely to the intended initial objectives and ensuring accuracy. 
• Lastly, brands must prioritize data security by safeguarding sensitive customer details through encryption, multi-factor authentication, and routine security assessments.

By acquiring explicit consent, preserving data precision and security, empowering data subjects, and adhering to regulations governing international data transfers, we can establish conscientious data management practices, fostering reliance from our clientele. Embracing the tenets outlined in the bill bolsters our commitment to compliance, enriches customer connections, and nurtures an image of a brand devoted to safeguarding privacy.

Hits and Highlights Worth Noting 

Like a handful of hiccups, the bill also presents a host of hits. Most importantly, India's Digital Personal Data Protection (DPDP) Act is on an equal footing with the European Union's General Data Protection Regulation (GDPR). Yet, the bill has been improvised per the requirements and challenges of India's business ecosystem. Unlike the previously presented bills, the current one has emerged as inclusive, considering the illiterate, less privileged, and vulnerable. The DPDP Act will allow them to access their data in English and 22 other regional languages. 

The techno-legal regime and digital operations are a promising and welcomed step, as they eliminate geographical and logistical restrictions for grievances and authorities, reinforcing effective complaint handling with minimum disruption. Importantly, the bill also extends relaxations to companies managing and processing personal data across the border. This is a shift from the earlier version that permitted data transfer to a select few destinations identified by the government. 

To Conclude 

As rightly intended, the Digital Personal Data Protection Bill is the answer to our privacy plights. It will protect our privacy and regulate the collection, processing, and transfer of personal data, fostering a sense of trust and security between individuals, businesses, and the government. But to reap the rewards of this change, companies, especially those operating in the tech and social media space, will need to embrace technological changes and hire experts to ensure the regulatory requirements are met!  

The article has been written by Chandan Bagwe, Founder and Managing Director, C Com Digital