In the second week of August 2023, the Digital Personal Data Protection (DPDP) Bill was passed by both houses of Parliament. The DPDP Act is the imperfect conclusion to a five-year saga that began with the first draft bill in 2018.
The final text includes a number of notable changes over the 2022 Draft Bill, some that are a marked improvement over previous iterations, and others less so. On the right side of the ledger, first is the change in conditions for cross-border transfer of data from whitelisting of trusted geographies to a blacklisting process (Clause 16 (1)). The Act also introduces differential obligations for data fiduciaries based on the volume and nature of personal data processed (Clause 10 and Clause 17 (3)). The former lays to rest the debate over data localisation, as well as the potentially cumbersome process of identifying exhaustive parameters for assessing trusted geographies, a challenge raised in the Observer Research Foundation’s recommendations for the 2022 draft last year. Exemptions for startups in a regulatory sandbox also appear responsive to concerns raised about the disproportionate compliance costs for new businesses, potentially damping innovation and advantaging larger companies that have the resources to comply with the provisions of the DPDP Act. The Minister of State for Electronics and Information Technology Rajeev Chandrasekhar also stated that the government intends to follow a graded approach, with longer timelines for smaller enterprises to comply.
The DPDP Act is the imperfect conclusion to a five-year saga that began with the first draft bill in 2018.
From a digital economy perspective then, this Bill does tick several boxes, pending further notification on gaps in the present Act, of course. The passage of the Act itself would provide some closure to entities in the Indian market, after years of uncertainty. As more foreign companies leave China, and even Chinese companies look to markets elsewhere as economic growth slows in their home ground, India’s 759 million active internet users make it an attractive destination. This is true even more so because this large number still only represents just a little over half of the country’s population. By 2025, India is projected to add another 150 million users: more than the entire population of Japan.
The Bill is, however, an inadequate framework for protecting individuals. Perhaps the most-contested provision of the Act since its inception five years ago is on sweeping exemptions for government. Under Clause 17(2)(a), the Act will not apply when:
…by such instrumentality of the State as the Central Government may notify, in the interests of sovereignty and integrity of India, security of the State, friendly relations with foreign States, maintenance of public order or preventing incitement to any cognizable offence relating to any of these, and the processing by the Central Government of any personal data that such instrumentality may furnish to it…
The Minister of State for Electronics and Information Technology Rajeev Chandrasekhar also stated that the government intends to follow a graded approach, with longer timelines for smaller enterprises to comply.
Given that one of the animating reasons behind the need for data protection legislation in the country was the creation of large repositories of personal data such as biometrics under entities like the UIDAI, this was and remains a chasm in the realisation of a secure and trusted Digital India. As the Srikrishna Committee report noted half a decade ago, “Governments, as data fiduciaries, process large amounts of personal data, be it related to taxation, Aadhaar, social security schemes, driving permits, etc. Unlawful processing of such data can cause significant harm to individuals.” Nevertheless, there remain opportunities for the government to build out consistent guidelines for government functions, separate from the provisions of the DPDP Act, such as through the National Data Governance Framework Policy.
Furthermore, in a marked difference over previous drafts, the DPDP Bill 2023 appoints the Telecom Disputes Settlement and Appellate Tribunal (TDSAT) as the body for appeals against any order of the Data Protection Board of India (DPBI) (Clause 29) and restricts the jurisdiction of civil courts over such cases (Clause 39), a choice likely to raise eyebrows.
Finally, victims of data breaches are not entitled to compensation. Instead, any monetary penalties imposed by the DPBI will be credited to the Consolidated Fund of India. This is a departure from other frameworks like the GDPR, which entitles data principals to compensation for material and non-material damages. At the same time, the Act imposes penalties of up to INR 10,000 on individuals for breach of duties, including “false or frivolous” complaints. Together, these clauses make it prohibitive for individuals to pursue legal action against data fiduciaries for breach of the DPDP Act. And while initiatives like Digital Bharat and the National Digital Literacy Mission are striving to improve digital literacy within the country’s newly-online population, digital literacy is still relatively low, at 38 percent of households nationwide. There is also a difference in digital literacy between states, between rural and urban areas, and between men and women. Those who are most vulnerable to harm caused by data fiduciaries are, therefore, the least protected by the Act.
Victims of data breaches are not entitled to compensation. Instead, any monetary penalties imposed by the DPBI will be credited to the Consolidated Fund of India.
The DPDP Act may be the culmination of five years of drafts, consultations, and diplomatic furores, however, it is a starting point, rather than the destination. The Ministry of Electronics and Information Technology (MeitY) is working on the draft Digital India Act (DIA), to replace the IT Act and Rules 2000. DIA, touted as a companion legislation to the DPDP Act, promises to address issues of online safety, cybersecurity, and AI regulation—including algorithmic transparency—and surveillance. The full draft, which was expected last month, will likely be out for public comment in the coming weeks.
Trisha Ray is an associate director and resident fellow at the Atlantic Council’s GeoTech Center.
The views expressed above belong to the author(s). ORF research and analyses now available on Telegram! Click here to access our curated content — blogs, longforms and interviews.