DPDP Bill 2023 needs relevant changes

DPDP Bill 2023: On Tuesday, the standing committee on communications and IT said in its report on the data security and privacy, that was tabled in Parliament, that the digital personal data protection (DPDP) bill should be the main legislation for data handling and privacy and should be enacted into a law at the earliest to safeguard citizens' data and their privacy.

The committee has met twice after the bill was last introduced in November 2022, said it made recommendations based on the submissions made by the ministry of electronics and information technology.

Proposed changes to the DPDP Bill
The Digital Personal Data Protection Bill, 2022 proposed by the Ministry of Electronics & Information Technology(Meity) is likely to undergo certain changes prior to being introduced and considered in the ongoing session of the Parliament. Many of these changes are proposed in the interest of making the Bill simple in approach. However, certain changes have been proposed which may contribute to uncertainty and greater discretion to the proposed Data Protection Board. At the outset, many key provisions such as determination of reasonable purposes, specific purposes for reliance on deemed consent, sensitivity grade for personal data, framework for operation of consent managers have been left to rule-making or determination.

This in turn would further necessitate the presence of a strong and independent Data Protection Board tasked with a larger functional role than the contemplated ‘adjudication’ of issues pertaining to informational privacy. Certain changes with regard to cross-border transfers are welcomed with the reported changes favoring a ‘black-list’ approach.

However, assessing the permissibility may also be dependent on ‘terms and conditions to be prescribed’ (as provided in the Bill). It is unclear at this stage if factors, such as intra-group schemes, standard agreements for transfer etc., which are relied as bases for permitting cross-border transfer of personal data in other frameworks, would also be prescribed under the Indian regulations.

“While a nimble approach to the legislation is preferred, it must be factored in that a robust framework for data protection which balances business and individual interests is the need of the hour, not only for ease in conducting business, but also owing to higher possibilities of recognition of ‘adequacy’ by other jurisdictions (such as the EU) which are also helpful in facilitating cross-border data flows and trade,” says Prashant Phillips, Executive partner at Lakshmikumaran & Sridharan Attorneys.

Shruti Sodhi, Partner, Khaitan Legal Associates, is of the view that the implementation of the bill is expected to create situations where compliance requirements from different regulators may overlap. For instance, insurance companies may face the challenge of meeting both IRDAI (Insurance Regulatory and Development Authority of India) and Data Protection Board requirements. “The bill must further clarify specific privacy by design measures to be taken by a company to ensure compliance with international transfer obligations. This will eliminate ambiguity of whether additional compliance requirements are to be undertaken for carrying out cross border business operations,” says Sodhi.

2023 Bill vs 2022 Bill

The 2023 Bill is naturally very close to the 2022 Bill. The expectation was that the 2023 Bill would address a lot of issues identified in the 2022 Bill. However, that doesn’t seem to have happened. Some main concerns are as cited by Anupam Shukla, Partner at Pioneer Legal are:

While the 2023 Bill provides for hefty penalties of up to Rs 250 cr, the same is left to the discretion of the DPB depending on whether the breach was determined by the DPB to be “significant”. The 2023 Bill does not clarify what would constitute a significant breach.

The 2023 Bill also appears to be conspicuously silent on 2 important rights generally afforded to Data Principals – the right to be forgotten and right of data portability. It would also be preferable to have the provisions relating to “deemed consent” in the 2023 Bill be more specific to avoid misuse.

The 2023 Bill still comes across as a very stripped down version instead of a robust and comprehensive privacy law. The 2023 Bill makes use of many undefined and ambiguous terms like “reasonable time”, “reasonable security safeguards”,. It is hoped that the rules will color in some of these areas to avoid confusion.

The 2023 DPDP Bill has prescribed a range of penalties from Rs 10,000 to Rs 250 cr depending on the seriousness of the offense. These are the same as the maximum penalties prescribed in the 2022 Bill. However, while the 2022 Bill also empowered the Data Protection Board to impose a penalty of up to Rs 500 cr, the 2023 Bill appears to have capped the maximum penalty to 250cr only. Earlier privacy bills prescribed the age of consent for privacy compliance of children's data as 18 years. However, social media companies have been keen to have a lower age of consent.
Keeping the age threshold at 18 years would mean a significantly higher compliance obligation for them in the sector that is booming with the youth. This is in line with the regulations in the US and EU as well. The 2023 Bill also introduces a concept of age threshold exemptions for Data Fiduciaries that ensure processing of personal data of children is done in a manner that is “verifiably safe”.

“The 2023 Bill still devolves an undue amount of power on the Union Government. From the exceptions permitted in the 2023 Bill to the potential influence of the Union Government in the constitution of the DPB.. This doesn’t seem to be in line with the test of proportionality for privacy laws as enshrined in the Puttaswamy judgment,” says Shukla.

What to Expect from DPDP Bill 2023

While Data Privacy regulation has been long overdue in India and is the need of the hour considering many countries across the globe adopted the same almost 3-5 years ago. “While we expect the digital transformation of Indian companies to gather pace and momentum by virtue of this bill and more Personally identifiable information (PII) records being stored on cloud servers in encrypted folders thereby assigning unique identification numbers to the data principals for ease of access or retrieval, it is long that we see India go completely paperless and store PII records only in digital formats,” says Tarun Kher, Partner, Risk Advisory Services, BDO India

Kher points out that while he sees this bill governing IT-enabled services companies which are tech-enabled and use digital platforms extensively for storing PII, the rest remains to see how quickly the rest of India could digitize PII records to ensure compliance with the provisions of the said bill.

Source: Legalworld