Indian Government Invites Views on New Data Protection Bill Draft, Here’s What Industry Leaders Have to Say

The draft of the new Data Protection Bill has been unveiled, and opinions of experts have been invited by the Indian Government 

The new Data Protection Bill Draft, which was being awaited by the industry for some time now, has been unveiled. Ashwini Vaishnaw, Minister for Railways, Communications, Electronics and Information Technology, Government of India has also invited views from the general public on the draft. “Seeking your views on draft Digital Personal Data Protection Bill, 2022,” he said on Twitter.

While it may take some time for experts to analyse the bill and provide insights, initial reactions seem to be positive. Manish Sehgal, Partner, Deloitte India, said:“The Digital Personal Data Protection Bill ,2022 (Bill) aligns to nations’ digital spree. Its new title itself signifies the intent to continue pushing the digitization agenda thereby offering a legal framework to govern collection, usage, processing, and storage of digital personal data.  However, the Bill’s exemptions for Central and State agencies, along with exclusion of personal data stored and or processed in non-digital (original / handwritten / paper) format may be a gap to protect personal data and ensure privacy in entirety.

 As per the draft Bill, Data Principals are responsible to provide verifiably authentic personal data while exercising their rights. It’s interesting to note that the bill has also proposed a penalty of Rs. 10,000/- for non-compliance of duties expected of a Data Principal, which isn’t a common trend. However, this is likely to promote authenticity in data principal requests and limit non-legitimate requests.

One of the most discussed aspects in any such regulation is data localization. The Bill offers a relatively soft stand on data localization requirements and permits data transfer to select global destinations basis some predefined assessments. This is likely to foster country-to-country trade agreements, make it relatively easier for global enterprises to operate and process data with their current set-up rather than mandatorily developing large infrastructure in India for storing and processing of personal data.”

Similarly, Arun Prabhu, Partner & Head – TMT, Cyril Amarchand Mangaldas has also provided a positive feedback on the bill. “Unlike the previous draft Bills, which drew significant inspiration from the GDPR, this version of the Bill seems to be designed to be a shorter and simpler document, which may help with alignment and rapid adoption. That being said, while this simplification may have benefits, several concepts that the current Bill proposes, and some of the open ended language, may need refining before the Bill is adopted. 500 Crores is the maximum penalty under the Bill. It can only be imposed where a breach is significant. S.25 details how the penalty is to be evaluated and the schedule prescribes sub limits for penalties for specific breaches ranging down to Rs. 10000. Large fines for breaches are not uncommon globally,” he said.

Shahana Chatterji, Partner, Shardul Amarchand Mangaldas & Co said that they welcomed the Draft Digital Personal Data Protection Bill, 2022 and stated that they were looking forward to engaging with the government constructively on the proposed provisions. “This Bill is certainly a step in the right direction of striking a balance between supporting innovation and protecting user rights. In particular we note that many obligations applicable to data fiduciaries and processors and mechanisms relating to data processing have been simplified, which will likely enable easier compliance. That said, a significant portion of the rulemaking is likely to occur through rules and guidelines to be issued under the proposed law. We look forward to working with the government in developing these rules and the emerging data protection framework in India and supporting its aim of a $1 trillion digital economy,” said Chatterji.

That said, Sandip Kumar Panda, Co- Founder and CEO of InstaSafe Technologies is of the view that technology companies will now have to pay special attention to the bill to avoid hefty fines. ““The data protection bill is a much-needed law that has been pending for years. India, a host to the second-highest population of smartphone users, is prone to data breaches in social apps because, currently, we don’t have an apt law on how social apps handle our personal data. With this revised data protection bill, cybersecurity became the forefront of data management. Since the coming of the guidelines, tech firms will now pay special attention to data protection, privacy and residency. With hefty penalties, it might be a burden for small and medium organizations to meet compliance needs,” commented Panda.

Abhishek Tripathi, Managing Partner, Sarthak Advocates & Solicitors, is of the view that the new bill appears to be an over-simplified version of the PDP Bill 2019. “While certain essential tenets as to consent requirements for the processing of personal data have been retained from the earlier version of the bill, the distinction between sensitive personal data and personal data has been done away with. Deemed consent provisions particularly those arising out of public interest may also raise eyebrows, besides the extent of exemptions allowed. An important change relates to the substitution of earlier suggested Data Protection Authority of India with Data Protection Board of India. The functions, and most importantly composition of the Board are to be determined by the Government through delegated legislation. This may face constitutional challenge as it is arguably a case of excessive delegation,” he said.

Abhishek Malhotra, Managing Partner, TMT Law Practice, has highlighted certain positives as well as negatives of the new Data Protection Bill. “The draft Bill has watered down the objective of a data privacy and protection framework. It appears to give a simpler framework for people to be able to adopt it seamlessly. Unfortunately, however, the scope and applicability provisions have also been curtailed and limited to where collection is online or digitized and where Indians are targeted for profiling. This is a departure from where the focus was on the entities, their activities and presence.  The qualified title adding “Digital” to the bill, does not add any value to the nature of the legislation but just seems to be one shot amongst a slew of “digital India” policies and legislations that the government intends to roll out. One welcome aspect is that along with rights of the data principals prescribed within the Bill, there is explicit mention of the duties that the Digital Nagrik will have to adhere to. This is likely to bring in welcome reinforcements to the onerous obligations of the data fiduciaries,” he said.

“The 2022 DPDP Bill has simplified the proposed data protection regime and done away with some contentious clauses which caused industry pushback in earlier versions. Particularly, data mirroring, data localisation requirements, and overall compliances appear to be limited compared to the previous Bill. The legislative intent appears to be tech and IT business friendly, focused on facilitating cross-border data flows. Some aspects that have been watered down could potentially reduce overall protection accorded to individual privacy rights. The positive bit is that the Bill has been drafted in a simpler manner, with less ambiguities,” said Rupinder Malik, Partner, JSA.