The draft Digital Personal Data Protection Bill (DPDP) recently closed for public comment. This is the 4th version of a law on data privacy and in key aspects, corrects for the over-reach of previous iterations. However, like the original draft, the new law will require businesses to re-examine their compliance structures. This paper looks at the key changes proposed by the DPDP in comparison to the previous bill – and their implications for businesses in India.
Fourth Time Lucky?
The previous iteration of the law – the Personal Data Protection (PDP) Bill 2019 – was withdrawn in August 2022, after being criticised for its overly-wide scope and stringent rules on transferring and processing data outside India. It had proposed a Data Protection Authority (DPA) and an Appellate Tribunal. It also provided exemptions to certain government agencies, with the aim of protecting the ‘sovereignty and integrity of India’. Non-compliance could be penalised by fines of up to Rs 15 crores or 4% of a business’ annual turnover (whichever was higher) and may also have attracted criminal liability. Data breaches would need to be reported by the data fiduciary (institutions collecting/processing data) to the DPA. The PDP also provided data principals (users whose data is getting collected) the right to data portability and the right to be ‘forgotten’.
Though the PDP addressed many challenges pertaining to data protection in the current digital age, it had many loopholes. It gave power to the largest data fiduciary – the government – to be exempted on the discretion of the DPA, which was established by the central government itself. The strict regulation of data processing outside India posed challenges for businesses that were part of a global ecosystem as compliance would be difficult keeping in mind international data regulations.
Before and After…
The new DPDP narrows the scope of regulation to cover only digitally processed personal data. It excludes manually-collected, non-digitised data from its purview and, contrary to a key recommendation of a Joint Parliamentary Committee, also excludes non-personal data. Further, it removes the distinction between ‘sensitive’ and ‘critical’ personal data, conferring the same degree of importance to all personal data. Though this change reduces the level of protection to different types of data, it may facilitate efficient marketing analytics for businesses.
The rules regulating data transfers outside India have undergone significant changes too. First, the removal of the distinction between sensitive and critical personal data will make it easier to process such transfers. Second, the rules around data localisation have been eased. The earlier PDP required data fiduciaries to maintain a copy of sensitive data locally; forbade the transfer of such data outside India without explicit consent; and prohibited the processing of critical data outside entirely. In comparison, the DPDP bill allows the processing of personal data collected by Indian data fiduciaries for purposes of ‘offering goods and services’ in India. However, the term ‘goods and services’ has not been explicitly defined, leaving room for misinterpretation. Moreover, the mandate excludes Indian data fiduciaries that collect and process data of non-Indian entities outside India. This loophole may benefit firms that specialise in foreign data collection and processing.
The rules for reporting data breaches have been tightened, and the data fiduciary must report every breach to the DPB as well as to each data principal. (The PDP bill required that breaches be reported to the DPA, which enjoyed discretion on whether to inform the data principal.) This strengthens data security at the individual level but also adds a layer of compliance for firms. Conversely, the DPDP caps the fine for non-compliance at Rs 500 crores – doing away with the earlier turnover method – and removes the earlier criminality provisions. The cap limits the potential costs on large companies but it may raise it for smaller businesses, for whom proportional penalties would have served as a safeguard. It remains to be seen how the DPB, which has the authority to take a final call on penalty amounts, interprets its powers.
Two important provisions have been carried over from the earlier draft. As with the PDP, the DPDP exempts the state (and its agencies) – through a process of notification – from certain provisions. Although justified on grounds of national security, this loophole might be exploited and thus adversely affect the right to data privacy. At the very least, it could breed mistrust amongst the public. Also unchanged is the requirement to set up a regulator, now called the Data Protection Board (DPB), which will have discretionary power over undefined aspects of the bill. However, the Central government will have full authority over the composition of the Board, which – given that the government is the single-largest data fiduciary – may create potential conflicts of interest.
Implications of the regulation
People
The new bill does not address challenges that individuals would face with their data privacy as it does not require fiduciaries to share information with the data principal in case of signing consent, etc. This reduces the power individuals will have on their data.
Though the bill enables the provision of reporting all breaches directly to the data principal, it does not solve the main problem of the breach. The addition of this step simply brings all parties in the know and adds to the cost of compliance for the data fiduciaries.
Government
With exemptions being provided to government agencies without the bill mentioning a fair and just procedure, there is room for the government to flout its authority.
The term ‘as may be prescribed’ is mentioned 18 times in the bill, giving large discretionary power to the DPB. Additionally, the formation of this board is under complete supervision of the central government, creating conflict of interest as the government itself is the largest data fiduciary.
Businesses
Overall, by reducing the compliance burden on businesses and making it easier for them to take part in global supply chains, this bill takes a huge step towards digitisation.
The bill incentivises digitisation of data, which in the short run may be a costly process, but in the longer run will reduce the cost of collecting and maintaining data.
The demand for the removal of ‘non-personal data’ from regulations, was implemented by DPDP. This will help businesses utilise such data in developing products and services for economic gains.
The cost of compliance has decreased for large companies with the new bill, with the upper limit being set at Rs 500 crores. This limit may, however, increase the cost for small and medium companies as discretion lies with the DPB.
Doing away with the data localisation obligations of the previous bill is a boon for Indian companies who can remain competitive with their global counterparts.
Consumer-centric businesses (B2C) will have a large amount of data and are likely to face more stringent scrutiny.
A Solid Step Forward
The DPDP Bill is the single most comprehensive piece of data protection legislation in India to date. When it is passed – possibly later this year – it will catalyse the process of digitisation and help protect the data privacy of individuals. The revised draft has addressed multiple industry demands and made up for many of the shortcomings of its predecessors. It will also make it easier to transfer data across borders.
At the same time, the open-ended nature of certain provisions, and the considerable powers granted to Central government authorities, creates loopholes that could result in bureaucratic overreach. Further, the law is proposed to be implemented stage-wise, which means there are no concrete timelines as to when it will be enacted in its entirety. On the plus side, this will enable businesses to adopt the regulations in a graded manner. This will allow them time to set up data protection teams, establish internal protocols to tackle privacy issues and educate their employees and customers about necessary protocols.