The Minister for Electronics & Information Technology, Mr. Ashwini Vaishnaw, moved the long-standing Digital Personal Data Protection (DPDP) Bill in the Lok Sabha on 7th August 2023. The sitting assembly passed the bill with a voice vote amidst objections, bringing India closer to passing its first law defining how private or governmental institutions can use or process citizens’ data.

The process of drafting a comprehensive data protection framework began in India after the Supreme Court’s ruling in 2017 that privacy is a fundamental right. The Ministry of Electronics and Information Technology (MeiTY) established an expert committee headed by Justice B.N. Srikrishna in 2017, which marked the beginning of the process toward a data protection law. In July 2018, the committee submitted a draft bill titled the “Personal Data Protection Bill, 2018.” This draft proposed significant changes to how personal data is handled and processed in India, taking inspiration from the European Union’s General Data Protection Regulation (GDPR).

The draft bill was open to public consultation, and various stakeholders, including industry experts, privacy advocates, and the general public, provided feedback on the bill’s provisions. Considering the feedback received during the consultation, the committee revised the draft bill and released a version titled the “Personal Data Protection Bill, 2019” in December 2019.

The 2019 version of the bill was introduced in the Lok Sabha in December 2019. It was referred to a Joint Parliamentary Committee (JPC) for further examination. The Joint Parliamentary Committee held several meetings to deliberate on the bill, inviting various stakeholders for their input. The JPC examined the bill’s provisions to ensure they aligned with India’s socio-economic and technological context. The JPC was tasked with considering potential amendments to the bill based on the feedback received during its examination. The JPC extensively consulted with stakeholders and submitted its report in December 2021. The information made several recommendations for changes to the PDP Bill, including:

• Expanding the definition of personal data
• Strengthening the rights of data subjects
• Increasing the penalties for data breaches
• Clarifying the Role of the Data Protection Authority of India

The Data Protection Bill 2021 (DPB, 2021) was published in December 2021, a significant development. On August 3, 2022, it was retracted in Parliament by Ashwini Vaishnaw, the minister of communications and information technology. A draft of the Digital Personal Data Protection Bill 2022 (DPDPB, 2022) was made available for public comment on November 18, 2022. The comments submitted as part of this consultation process were kept private. In a Right to Information case, the demand for the submissions to be made publicly available was also rejected. The government has accepted most of the JPC’s recommendations and has introduced a new version of the PDP Bill in Parliament in August 2023. The new bill is the Digital Personal Data Protection Bill (DPDP).

The Bill is characterized by its succinct and SARAL approach, which stands for Simple, Accessible, Rational, and Actionable Law. This legislative instrument adheres to these principles through the following methods:

• Clarity in Language: The Bill employs straightforward language, eschewing convoluted terminology.
• Visual Aids: The inclusion of illustrations aids in rendering the content lucid and easily comprehensible.
• Absence of Provisos: Notably, the Bill refrains from employing provisos or conditional clauses that could potentially complicate its interpretation.
• Minimal Cross-Referencing: The Bill minimizes the practice of cross-referencing, contributing to a streamlined and coherent legal framework.

An intriguing departure from conventional language conventions emerges within the Bill. By employing the feminine pronoun “she” instead of the customary “he,” the legislation makes a significant stride toward acknowledging women’s representation within the realm of parliamentary law-making. Within the purview of the Bill, several fundamental rights are conferred upon individuals, encompassing:

• Right to Information Access: This right grants individuals the prerogative to access information concerning the processing of their personal data.
• Right to Data Correction and Erasure: Individuals possess the right to rectify inaccuracies in their data and request its deletion when appropriate.
• Right to Grievance Redressal: The Bill recognizes the right to seek resolution for grievances arising from data handling and processing.
• Right to Nominate Representative: Individuals are empowered to designate a representative to exercise their rights in instances of incapacitation or demise.

In the pursuit of asserting these rights, an affected Data Principal is initially endowed with the option to approach the Data Fiduciary, the entity entrusted with data management. Should this engagement prove unsatisfactory, the affected party maintains the recourse to file a complaint against the Data Fiduciary before the Data Protection Board. This mechanism is thoughtfully designed to ensure a streamlined and uncomplicated process for seeking recourse and resolution.

The DPPDP Bill is a significant improvement over the PDP Bill of 2019. It provides more robust protection for data subjects and imposes stricter penalties on fiduciaries. The bill also creates a new independent regulator, the DPAI, to enforce the law. The DPPDP Bill is still a work in progress but is a significant step forward for data protection in India. The bill is expected to be passed into law in the coming months. Some of the key amendments to the Digital Personal Data Protection Bill of 2023 are:

• Biometric Data Inculcation: The definition of personal data has been expanded to include biometric, genetic, and inferred data. This means that companies will now need to obtain consent from individuals before collecting and processing these types of data.
• Personal Data Control: The rights of data subjects have been strengthened, including the right to access, correct, delete, and port their data. This means that individuals will have more control over their data and can request that companies delete it if they no longer want it to be used.
• Data Breach: The penalties for data breaches have increased to Rs. 250 crore (about US$300 million). This is a significant increase from the penalties under the PDP Bill of 2019, and it is designed to deter companies from failing to protect personal data.
• Authority of DPAI: The Data Protection Authority of India’s (DPAI) role has been clarified, giving it more powers to investigate and enforce the law. The DPAI will now be able to conduct unannounced inspections of data fiduciaries and have the ability to impose penalties on companies that violate the law.
• Significant Data Fiduciary: A new concept of “significant data fiduciary” has been introduced, which applies to companies that process large amounts of personal data. These companies will face stricter obligations under the law,  such as the need to conduct data protection impact assessments and appoint a data protection officer.
• Data Localization: The bill also includes data localization provisions, which require companies to store certain types of personal data within India. This is designed to protect the privacy of Indian citizens and to prevent the export of sensitive data to countries with weaker data protection laws.

The heightened concerns primarily revolve around the potential escalation of compliance costs, a factor that has raised apprehensions among numerous experts and entities, particularly within India’s startup ecosystem.

• Notably, the absence of the ‘deemed consent’ provision has emerged as an unexpected element that has garnered significant attention from both policy experts and organizations. This provision, rooted in legal doctrine, grants the prerogative for personal data processing in the absence of explicit consent, subject to specific conditions being met.
• Within the bill’s framework, a pivotal development pertains to the transfer and processing of personal data beyond India’s borders, which is permissible. Nonetheless, businesses have voiced a collective call for enhanced clarity on multiple dimensions surrounding this facet.
• The bill’s scope notably encompasses the deliberate omission of personal data that has been publicly disclosed. This particular exclusion bears potential consequences for the functioning of search engines and artificial intelligence-driven chatbots within the country.
• Moreover, discernible in the bill are stringent requisites governing the processing of children’s data. A cardinal stipulation mandates parental consent as an imperative precondition for the processing of minors’ data, albeit with specific exemptions in place.
• The legislation unequivocally proscribes the practice of tracking and engaging in behavioral monitoring of children, a proscription that carries certain exemptions within its provisions.
• As this article elucidates, the prevailing concerns predominantly pivot around amplified compliance expenditures and the unexpected oversight of ‘deemed consent’. Additionally, the legislation introduces a comprehensive framework for cross-border data transfers and ushers implications for publicly available personal data. Moreover, it establishes meticulous guidelines for processing data associated with minors, accompanied by provisions delineating the boundaries of tracking and behavioral monitoring of children.

The DPPDP Bill is a comprehensive and ambitious data protection law that is designed to protect the privacy of Indian citizens. The bill is still a work in progress but is a significant step forward for data protection in India. The bill is expected to be passed into law in the coming months. The passage of the DPPDP Bill will be a significant victory for privacy advocates in India. The bill will provide more robust protection for data subjects and help deter companies from misusing personal data. The bill will also help to create a more level playing field for businesses, as all companies will be subject to the same data protection rules. The DPPDP Bill is a positive step for India but is imperfect. The bill still needs to be passed into law, and it is still being determined how the DPAI will be funded and staffed. However, the DPPDP Bill is a good starting point and can be improved over time.