The first draft of the Personal Data Protection Bill was introduced in 2017 and was presented in the Lok Sabha (the lower house of India’s Parliament) in 2019. However, it was withdrawn that year and a revised draft was introduced in 2021.
The government is hopeful that the revised draft of the Personal Data Protection Bill will lead to improved data protection and online user safety, as well as the replacement of the IT Act (Information Technology Act).
The ongoing uncertainty surrounding the Personal Data Protection Bill has led to concerns about a delay in ensuring the safety of internet usage in the country.
The Personal Data Protection bill is a piece of legislation being considered by the government of India to regulate the collection, use, and protection of personal data. The bill aims to ensure that individuals have control over their personal data and that businesses and other organizations handle it responsibly.
The bill has garnered significant attention from experts in the field of data protection and privacy, and their opinions are critical in understanding the potential impacts of the legislation.
It is a bill (draft of a proposed law that is under discussion in the parliament) that aims to give people the right to decide how their personal data is used. The bill was formulated under Justice Sree Krishna Committee, under the Ministry of Electronics and Information Technology, and is about giving individuals control over their personal data.
In the proposed law, individuals are referred to as “Data Principals” and the businesses or government entities that process their data are called “Data Fiduciaries.” The bill focuses on a concept called “data localization,” which requires the data of Indian citizens to be stored in data centers within India. Essentially, the bill aims to give individuals control over their personal data and ensure that it is stored and processed within the country.
Also, the Joint Committee of Parliament (JCP) was formed for clarifying public policy concerns on Personal Data Protection bill in India.
Tech companies opposed a provision in the Personal Data Protection Bill called data localization, which would have required them to store certain sensitive personal data within India and prohibited the export of undefined “critical” personal data from the country. Activists also criticized a provision that allowed the central government and its agencies to exempt themselves from following any provisions of the bill.
On August 3rd, 2022, the government withdrew the Personal Data Protection Bill from Parliament due to the existence of a “comprehensive legal framework” that already regulates online spaces, as well as separate laws on data privacy, cybersecurity, and the use of non-personal data to foster innovation within the country.
During the submission of the report in Parliament, JCP shared the concern raised by Justice Sri Rama Krishna that if the Personal Data Protection Bill were to be approved, it has the potential to turn India into an “Orwellian state” due to exceptions for certain central government agencies within the bill, as well as the existence of allegations of targeted attacks against opposition groups by these agencies.
Simply, the goal is to create a cohesive approach to these issues rather than addressing them through separate laws.
And the government withdrew the bill based on the citations by JPC and due to the “extensive changes” by the JPC.
The next iteration of the bill is expected to be released on 2023 February, during the next budget session in accordance with the reports from the citation to the media by Ashwini Vaishnaw, Minister for IT and Tech in September 2022.
Seven experts shared their opinions on the Personal Data Protection bill. Overall, the experts were generally supportive of the bill, citing its provisions for greater transparency and accountability in the handling of personal data.
Interviewer: How should organizations adapt their data protection policies and procedures considering the Personal Data Protection bill?
“The Foundation and the sustenance of the digital economy are in the TRUST its constituents have in the environment it provides. Good governance across the lifecycle of data is critical in ensuring that.
Information privacy is no longer a good-to-have requirement but an essential hygiene requirement for all.
Each stakeholder must be aware of their roles and responsibilities in the governance and protection of information, which helps in setting the proper context and their participative role in the overall information governance.”
Interviewer: How can organizations start preparing themselves to not be caught off-guard with PDP?
“India has embarked on a rapid digitization path over the past couple decades. This has been strengthened by the Digital India effort, which has made government services accessible to citizens electronically by enhancing online infrastructure and expanding Internet connectivity. More rural areas are now connected to high-speed internet networks, and inhabitants of all demographic groups have begun to utilize digital services. In tandem with this, issues and worries related to the privacy of personal data have increased.
Our Personal Data Protection Bill is shaping up to be a comprehensive piece of legislation to control the acquisition, storage, and processing of personal data by businesses, although a bit late. Service providers and industries must take the appropriate precautions to avoid being on the wrong side of the law once it goes into effect.
The following are the basic steps a company should take to prepare for the bill.
Perform a thorough data audit to identify the personal data that the company collects, maintains, and processes. This covers both information acquired directly from individuals and information obtained from third parties.
Appoint a data protection officer if one is necessary for the type of business.
Examine and revise the data protection policies. Confirm that the organization has implemented policies that meet the PDPB’s requirements. This involves data collection, storage, processing, and retention policies.
Train your employees. Make sure that your staff knows what their responsibilities are under the PDPB, especially when it comes to protecting and securing personal data.
Review 3rd party contracts: If you exchange personal data with third parties, ensure that your contracts with them comply with the PDPB and include sufficient safeguards for the security of personal data.”
Interviewer: How do you see the role of cyber security professionals evolving in ensuring compliance with the Personal Data Protection bill, and how can they support organizations in this regard?
“It is crucial to have proper controls for data security if we want to keep our valuable information such as PII safe in cyberspace. Section 9(4) of Personal Data Protection Bill (PDPB) makes it clear that proper technical and organizational controls must be implemented to keep personal data from leaking. Failing to implement appropriate controls will attract significant penalties from the supervisory authority, apart from brand damage and reputational loss in the event of a data breach.
A fine of up to Rs. 250 crores may be imposed in such cases, according to India’s most recent PDPB. To ensure that the company is in line with data protection laws, it is important to keep an eye on its systems and react swiftly to any problems or breaches that arise. Professionals in the field of cyber security play a pivotal role by collaborating with other departments within an organization, such as the legal and compliance departments, to learn the ins and outs of the relevant laws and create effective policies and procedures for the safekeeping of sensitive information.
They also do risk assessments to determine whether the company’s systems and processes for managing sensitive information are susceptible to compromise, and then design and implement countermeasures to close those gaps.”
Interviewer: How should organizations adapt their data protection policies and procedures considering the Personal Data Protection bill?
“Businesses that handle the personal information of their employees, suppliers, and customers will fall under the provisions of DPDP. In order to comply with DPDP, organizations shall need to do the following:
Define the business processes and functions of the organization that that are in scope of digital personal information collection, processing, and control.
Document and maintain a data asset inventory for the above.
For each data asset, document and implement a privacy impact assessment.
Document and implement risk assessment for personal data information that is in scope
Maintain a record of all processing activities.
Determine and document the conditions for collection and processing.
Identify the lawful basis.
Determine how and when consent needs to be obtained and recorded.
Sign data privacy agreements/contracts with suppliers and vendors with explicitly defined terms and conditions of data subjects’ rights like consent, notice, retention etc.”
Interviewer: What are the key provisions of the Personal Data Protection bill, and how do they impact businesses and individuals?
“Personal Data Protection bill is a great step in security towards personal data of the individuals in the country. This is the need of the hour. We have seen a lot of loopholes in the data protection provisions laid by the companies. The Personal Data Protection bill specifies the penalties in case of discrepancies from INR 50 crore to INR 250 crore. If the organization is not taking the right provision to safeguard the personal data of the individuals. The breach must be notified at the earliest and any non-compliance will lead to further actions.”
Interviewer: How will the PDP bill impact the way companies handle personal data?
“Data-enabled decision-making shall be one of the core outputs of the bill and this will improve the public service delivery and enhance technology interventions through startups engagement. If passed into law, the PDP Bill would impact the way companies handle personal data by requiring them to comply with certain data protection measures and principles.
Under the PDP Bill, companies would be required to obtain the explicit consent of individuals before collecting, storing, or using their personal data. They would also be required to store personal data in a secure manner, and to limit the use of personal data to the purposes for which it was collected. In addition, the PDP Bill would give individuals the right to access, correct, and erase their personal data, as well as the right to object to the processing of their personal data.
Overall, the PDP Bill would create a more robust framework for protecting personal data in India and would require companies to be more transparent and accountable in their handling of personal data.”
Interviewer: How will PDP help to enhance trust and reduce the misuse of data by advertisers and the government?
“The Personal Data Protection Bill is a legislation that aims to regulate the collection, use, and processing of personal data by organizations. It seeks to enhance trust by establishing a framework for the responsible handling of personal data and providing individuals with greater control over their personal data.
One way in which the bill can help to reduce the misuse of data by advertisers and the government is by requiring organizations to obtain explicit consent from individuals before collecting and using their personal data. This means that individuals must be clearly informed about how their data will be used and must opt-in to having their data collected and processed. This can help make sure that no one’s personal information is collected or used without their knowledge or permission.
The bill also includes provisions that require organizations to put in place appropriate security measures to protect personal data from unauthorized access or disclosure. This can help reduce the risk of data breaches and the misuse of personal data.
Finally, the bill establishes a regulatory authority, the Data Protection Authority (DPA), which will be responsible for enforcing the provisions of the bill and ensuring that organizations comply with its requirements. This can help to ensure that organizations are held accountable for any misuse of personal data and can help to enhance trust in the handling of personal data.”
The potential impacts of the Personal Data Protection bill are significant, both for individuals and for businesses. For individuals, the bill could provide greater protection against the misuse of their personal data and give them more control over how it is collected and used.
For businesses, the bill could result in increased compliance costs and changes in how they handle personal data.
Some experts suggest that the bill could also have broader societal impacts, such as promoting greater trust and confidence in the handling of personal data and encouraging the development of new technologies and practices to protect personal data.
Overall, the expert opinions on the Personal Data Protection bill are largely positive, with many experts noting its potential to protect personal data and promote greater transparency and accountability. However, there are also concerns about the enforcement of the bill and the potential for companies to find ways to work around its provisions. To maximize the benefits of the bill, it will be important for the government to address these concerns and ensure that the legislation is effective in protecting personal data and promoting responsible data handling practices.
THE DIGITAL PERSONAL DATA PROTECTION BILL, 2022