Digital Personal Data Protection Bill Revised: How It Will Affect India's Tech Firms, State Instrumentations

The Centre on November 18 released a revised draft of the Digital Personal Data Protection Bill, 20022, with an increased focus on personal data as a fundamental right, as ruled by the Supreme Court. The earlier bill was slammed by privacy experts and tech firms alike, primarily due to owing to its clauses regarding the local storage of data. The revised draft appears to be more friendly towards cross-border data flows and easier compliance for startups but at the same time imposes a heavy penalty upon non-compliance. 

So, what changes has the new draft brought in? And how will it affect tech companies in the country? Let’s take a closer look.

What did the earlier Personal Data Protection Bill entail? Why was it removed?

The Personal Data Protection Bill was introduced in the Lok Sabha in December 2019. Drafted by the Justice Srikrishna Committee a year earlier, the bill proposed a set of rules that would dictate how personal data should be processed and stored, seeking to set up a Data Protection Authority in India to protect the digital privacy of individuals. 

It also listed people’s rights when it came to their personal data. 

After being introduced in the Lok Sabha, a draft of the bill was referred to the Joint Parliamentary Committee (JPC) in December 2021 before being tabled in the Parliament after six extensions.

The committee would then go on to recommend 81 amendments to the bill (which had 99 sections). An additional list of a dozen major recommendations was made by the JPC. 

The Bill was heavily slammed by privacy experts, as it was deemed to be more beneficial to central agencies, allowing them to freely obtain data under certain conditions. 

The bill also proposed the handling of non-personal data under the data law on individual privacy, which was also heavily criticised.

Furthermore, big tech firms such as Amazon, Google, and Meta raised objections to some of the bill’s provisions that would mandate local storage of data and also the processing of some sensitive information within the country. It also looked to provide exemptions to the government’s own probe agencies from the Act’s provisions, which saw a huge uproar from the opposition.

The Centre would eventually withdraw the Bill in August 2022. 

What the revised Digital Personal Data Protection Bill, 2022, brings to the table

For starters, the revised draft enforces a penalty of Rs 250 crores on firms if the personal safety of user data is compromised in any way. This falls in line with India’s apex court ruling that personal data is a personal right and should be protected accordingly.

The new draft also offers a relaxed stance on data flow across borders as well as comparatively easier compliance rules for startups. 

In an explanatory note, the Ministry of Electronics and Information Technology (MeitY) detailed the seven principles of data economy on which the bill is based. 

Here’s what MeitY said: 

The ministry is inviting feedback from the public on the draft Bill. The submissions won’t be disclosed publicly. The last date to submit comments is December 17. 

How the new Digital Personal Data Protection Bill will affect companies, state instrumentations

The Internet Freedom Foundation (IFF), which is a national advocacy body on digital rights and liberties has offered a detailed review of the new draft Bill after its 'First Read'.

The IFF said that the new Bill still exempts “instrumentality of the State” if it falls under the interests of “sovereignty and integrity” of India. The body said that the Bill would give a free rein to State surveillance, which could result in an immense violation of the privacy of citizens. 

“Any exemption sought by government agencies should be granted only if they fulfil the standards of legality, necessity, and proportionality. It is essential that government collection and processing of citizen data is regulated to prevent misuse of use,” the IFF noted.

The Bill also proposes the formation of a Data Protection Board, which will oversee all the proposed provisions. The IFF observed that this board is not independent, which might hamper the “independence needed to sufficiently protect the interests of Data Principals. As a result, the board may perpetuate the hierarchies of the government setup.” 

Speaking on the non-localised data transfer proposals, the IFF said that the Bill doesn’t the standards on which the Centre can decide to which countries data transfers can be allowed. “This enables arbitrary exercise of power where countries may be selected or not selected based on considerations other than protection of personal data of Indians,” the IFF noted.

The IFF drove hard on the seeming vagueness of the Bill. It said that the phrase “as may be prescribed” has been mentioned 18 times. “This is symbolic of the vague and unchecked powers that the Union Government has retained for itself to frame rules at a later stage in the absence of legislative guidance.”

The IFF, however, did mention that there has been some positive addition as well. For starters, fiduciaries will now have to notify the Board and Data Principals whenever there is a breach of data, irrespective of its nature, bringing a sense of transparency that was earlier absent. 

Additionally, the Bill has also clearly mandated that companies cannot track or monitor the behaviour of children or targeted ads directed at minors. 

So, while the new draft does put a tight leash around companies in terms of transparency in handling breaches or handling data from underage users, there still remains a vacuum when it comes to Central control on the overall implementation of the Bill.