Getting There, But Not Quite There Yet — The Indian Digital Personal Data Protection Act, 2023
The Indian Parliament passed the much-awaited Digital Personal Data Protection, or DPDP, bill on August 10, 2023. This comes six years after the Supreme Court of India declared the right to privacy as a fundamental right. The Ministry of Electronics and Information Technology (MeiTY) introduced the first draft of the bill in 2022 but later withdrew it for further consultation when the industry expressed concerns on some provisions. This significant piece of legislature is now just a procedural step away from becoming the law.
This bill is very similar to other data protection laws (mainly, the GDPR or ADPPA) across the globe, especially in defining personal data, taking consent of the data principle for data processing, and defining the obligations of the data fiduciary. This bill does differ in a few areas:
- It allows cross-border flow of data to all geographies except for the ones backlisted by the government. Other similar laws such as the GDPR, on the other hand, use a whitelisting approach. It is understandable, considering whitelisting can be a cumbersome process for the process outsourcing services industry in India.
- It is applicable only for “digital” personal data or data digitized post offline collection.
- It also does not categorize personal data in detail, unlike the GDPR and ADPPA, leaving it a bit vague.
- It does not have a “right to be forgotten” provision, unlike the GDPR.
The State Is Mostly Exempt From Its Provisions
The central government and its agencies are exempt from the DPDP in the interest of national security and law and order. It exempts the state agencies from deleting the personal data after use and overrides the consent of an individual when the state processes personal data for provision of benefits, services, license permits, or certificates. Further, it removes purpose limitation as far as the state is concerned. This is like the UK Data Protection Act of 2018, although the UK law regulates bulk processing of personal datasets and has more safeguards against misuse by the state. The DPDP also does not have provisions for the regulation of harm arising from processing of personal data. Harm may include financial losses, loss of access to any special benefits, identity theft, loss of reputation, discrimination, and more. It also does not provide the right to portability.
More Clarity On Process Will Be Helpful
More clarity is needed regarding the identification process for the source of data leakage or a breach, as well as how to define accountability. Similarly, the law requires data fiduciaries to take reasonable measures to protect the data and take consent before data sharing; it will be helpful, however, to also have some clarity around an implementation mechanism. Note that the law does not define the redressal mechanism available with the data principle in case of a data breach, and it skips procedural questions such as: Should the affected individuals complain to a central authority if they feel that their data has fallen into the wrong hands? Should they file a police complaint? Who is the accused in this case? The data principle may not be aware of the source of the leakage source.
Impact On The Industry
The good news for the industry is that the policymakers have tempered some of the draconian clauses that existed in the earlier draft, especially on reporting of breaches within 72 hours to the authorities, as was recommended by the Joint Parliamentary Committee. These clauses had righfully made the industry apprehensive.
Industry leaders must note that:
- They will need to be more cautious about sharing of personal data — e.g., a bank/e-commerce company/food delivery app sharing customer details with a travel app/insurance provider/healthcare app. These can lead to legal challenges for the primary data fiduciary.
- The DPDP may need to clear up the definition of reasonable data protection in case of a breach. But it still expects reasonable data security and protection methods to safeguard for compliance with the law.
- The industry will need to do more work around auditing and implementation of the law. They must ensure the deletion of related personal data from all the records once a data principal withdraws their consent.
- The industry must watch out for the backlisted regions/areas/countries where they are not allowed to transfer personal data.
- Industries such as education tech, healthcare, sports, and more must be careful with data on minors and people with disabilities. This is positive, as it will ensure the safety of the most data-vulnerable sections of society.
- The law needs to provide more detail on the use of AI on personal data to provide better services to customers and/or employees. This can become complicated in some cases, such as service center outsourcing; there, the entities managing the data or building and training the AI models and the data fiduciary may be different.
Talk To Us!
As we study the bill further and understand its implications under enforcement, we will continue to update this space. Please contact us to learn more about the Digital Personal Data Protection Act, 2023, or similar laws across the globe.