In a recent interview, the minister of state for IT and electronics, Rajeev Chandrasekhar, expressed hope that India's Digital Personal Data Protection (DPDP) bill will come up in the Monsoon session of Parliament, held from July to September.
The bill aims to establish guidelines for processing digital personal data in a way that respects both the need to process personal data for legitimate purposes and the right of India's 1.2 billion consumers to have their data protected.
|
"I have absolutely no doubt that the DPDP Bill will create deep behavioural changes among platforms in India who have for long exploited and misused personal data" - Rajeev Chandrasekhar, India Minister of State for IT and Electronics (Source: The Economic Times) |
India currently enforces the Information Technology Act, 2000 (IT Act), and the Indian Contract Act, 1872, to protect data since no proper data protection law exists.
Following the withdrawal of the proposed Personal Data Protection Bill 2019 in August 2022, the Ministry of Electronics and Information Technology (MeitY) published a draft for the Digital Personal Data Protection Bill, 2022 (DPDPB) on November 18, 2022, for public comment.
More than 20,000 suggestions for modifications have been received. Some businesses that had expressed concerns about the joint parliamentary committee's recommendations on the proposed measure included Meta, Google, and Amazon.
The new bill showcases the rights and duties of the “Digital Nagrik” (Digital Citizen) and the law to collect data. This law incorporates best practices from nations such as Singapore, Australia, and the European Union. A focus on lawfulness, fairness, and transparency of the process, as well as minimization of data, accuracy, and storage limits.
The DPDP is still in the legislation phase, so changes are possible, but here are some of the key points from the current draft:
-
Data Localization: The bill requires personal data to be stored and processed within India, with some exceptions. Sensitive personal data may have additional localization requirements.
-
Consent: The bill emphasizes obtaining informed and explicit consent from individuals for data processing.
-
Data Rights: Individuals are granted specific rights over their personal data, including the right to access, correct, and erase their data. They can also withdraw consent and restrict the processing of their data under certain circumstances.
-
Data Protection Authority: The bill proposes the establishment of a Data Protection Board of India (DPA) to oversee and regulate data protection activities. The DPA will have powers to enforce compliance, conduct audits, and impose penalties for violations.
-
Cross-Border Data Transfers: The bill includes provisions for transferring personal data outside India, subject to specific conditions and data protection safeguards.
-
Accountability and Security Measures: Organizations are required to implement appropriate security measures to protect personal data. They must also conduct data protection impact assessments and maintain records of data processing activities.
Although inspired by existing laws such as Europe's General Data Protection Regulation, the Bill has its unique outlook. Asked about the recent record-breaking fine received by Meta in the US, Rajeev Chandrasekhar commented:
|
"I don't think we are in the business of competing with the EU in terms of the size of the penalty, but the formulation of penalties in this Bill is sufficient to incentivise every data fiduciary or any platform to behave correctly, to follow the law, and do the right thing," - Rajeev Chandrasekhar, India Minister of State for IT and Electronics (Source: The Economic Times) |
What are your thoughts on India's Digital Personal Data Protection Bill? Join the conversation in our Yes We Trust community, a free discussion group for data privacy professionals and enthusiasts, on LinkedIn:
