New Delhi: As the Digital Personal Data Protection Bill stands passed by Parliament on Wednesday, legal experts are divided on aspects of privacy awarded to Indian citizens and its wider implications for the IT industry.
Rajya Sabha Member and lawyer Sirgapoor Niranjan Reddy said the Bill is in an easy language and illustrations provided by the government are very useful.
He, however, pointed out that exemptions for startups "may have to be conditioned", as that can be misused, especially in the case of data mining startups.
The government on August 3 tabled the Digital Personal Data Protection Bill (DPDP) 2023 in the Lok Sabha with an aim to protect the privacy of Indian citizens.
Shardul Amarchand Mangaldas and Co-Partner Hemant Krishna feels the implementation of the DPDP will give control to citizens and businesses over collecting and processing data.
"With the strides made by AI, personal data can be processed with unprecedented velocity and sophistication. Ironically, despite the volume and variety of personal data in India, due to the absence of a proper privacy framework, citizens have not had sufficient control over their data, and businesses have struggled to find legitimate ways to collect and process personal data. That is all set to change when the DPDP Bill becomes law," Krishna said.
Advocate Rajat Kumar Kaushik has a different point of view, wherein he feels the bill has not imbibed recommendations from the general consultation in 2022.
"The presented Bill appears to have miserably failed to acknowledge and inculcate the recommendations made by the general public during the public consultation from November 2022 onwards. The Bill states that all its members will be selected by the Union Government and exempts the government instrumentalities from the processing of data," he said.
Kaushik feels the bill "fails to place any safeguard to protect the citizens of the State from over-surveillance".
"The DPDPB also grants the withdrawal of consent given to the usage of personal data, however, the provisions of the bill do not provide any remedy if the same data had already been made public prior to the withdrawal of the consent," Kaushik noted.
The Bill has given enormous control to the Union Government and appears to act in favour of the government rather than the people whose privacy it was meant to protect, he added.
Risk Advisory Partner at Deloitte India Manish Sehgal said, "Data protection bill once enacted will enhance the privacy cognizance of Indian citizens by empowering them with their privacy rights through transformative accountability measures to be adopted by enterprises. Driving robust protection and security measures, combined with effective privacy policies and grievance redressal are the layered requisites towards its compliance".
HJA and Associates LLP Managing Partner Jitender Ahlawat said the Bill's effects on technology companies and the broader IT industry are complex.
"The bill has the potential to change how businesses operate, increase the costs associated with following regulations, and impact how data is handled. Following these rules, which involve protecting data and following proper procedures, could be difficult for companies, especially smaller ones," he said.
The requirement to keep data within the country affects how companies work across borders, which might lead to changes in how things are done, he added.
"Striking a balance between protecting personal information and encouraging new technologies is extremely important. The bill shows that India is determined to handle data securely, but it's up to the industry to work together and find a way to respect people's privacy while still allowing technology to advance," Ahlawat noted.
Sourabh Deorah, CEO and Co-Founder of HRTech startup Advantage Club said the Bill ensures the right of privacy for citizens as technology becomes "an even greater force in our lives".
Saying that the Bill is a "clarion call" for startups, Deorah pointed out that emerging companies have an opportunity to innovate with a conscience.
The DPDP 2023 proposes a penalty of up to Rs 250 crore on entities for misusing or failing to protect the digital data of individuals.
The Data Protection Bill is undoubtedly a forward-thinking legislative approach, said Matthew Foxton India Regional President & Executive Vice-President, Branding & Communications at IDEMIA. "In an interconnected world driven by data, safeguarding personal information and maintaining the trust of individuals is paramount. The imperatives of data security and privacy must loom large as India is set to lead the digital revolution in identity and payments," he said. Industry body Nasscom welcomed the development, saying the bill is a leap for India to establish a robust framework for personal data protection, building the nation as a trusted data destination.
Nasscom President Debjani Ghosh said, "The passage of the Data Protection Bill by both the houses of Parliament is a landmark moment...we appreciate the consultative approach that engaged all relevant stakeholders at each phase in defining the digital data protection bill and is really looking forward to India having its own Data Protection law".
EY India Cybersecurity Consulting Leader Murali Rao noted that implementation complexities in the Bill that could prove to be a challenge for organisations while complying with the requirements.
"Ensuring verifiability of parental consent for processing personal data of children, building a mechanism for obtaining and recording consent of Data Principals through a consent manager, complying with the Data Principal’s rights to erasure, undertaking accountability for the Data Processors pursuant to processing on behalf of Data Fiduciaries," he said.
Induslaw Partner Shreya Suri said the Bill is a positive and much-needed step for India and will also help position India as a viable jurisdiction for data adequacy arrangements with other progressive nations.
"Given the rapid developments in relation to the passing of this Bill, it can be expected for it to be enacted and implemented as law sooner than originally anticipated. The data fiduciaries can consider proactively looking at the transition implementation," Suri said.