Data Protection Bill 2023: ‘Businesses need to rethink how they handle user data, can’t be careless’

The Digital Personal Data Protection Bill has finally been introduced in the Lok Sabha and is up for deliberation. As with any major bill that will have a long-lasting effect on the fabric of Indian society, there is a lot of noise surrounding the bill.

For starters, it was assumed that the bill would be introduced as a money bill, and therefore not be discussed and scrutinised properly in the Rajya Sabha, and have it passed using any means necessary. Union IT Minister Ashwini Vaisnaw had to clarify that the bill was being presented, not as a money or finance bill, but as a regular bill, and that it would be open for discussion in both Houses.

Although there are several aspects that seem concerning to people and certain aspects, by and large, the consensus among experts and industry insiders is that the bill is not just necessary, but has been crafted well for a digital-first India.

While the Bill is not as stringent as GDPR, it has been devised along the lines of international data protection frameworks such as the GDPR, says Varsha Rajesh, Lawyer, Nishith Desai Associates “Therefore, from a compliance perspective, data businesses and communication businesses which are compliant with the GDPR should have an easy transition under the Bill as well. In terms of the provisions of the Bill itself, it is business-friendly and introduces concepts such as legitimate uses for processing of personal data and also permits cross border transfers of personal data to territories that are not explicitly restricted by the government.”

As for end users or individuals, the bill is the best of both worlds in terms of ease of compliance for businesses as well as bestowing rights to end-users i.e. data subjects. “The Bill is a step up from the existing regime and protects all forms of digital personal data of an individual. Additionally, the Bill also adopts a rights-based approach and prescribes rights such as the right to information; correction and erasure of personal data; right to nominate a nominee for enforcement of rights, and grievance redressal. On the flip side, the Bill also imposes responsibility on the data subjects and prescribes duties such as not impersonating, not filing frivolous complaints, suppressing material information, and submitting only verifiably authentic information among others,” Desai told Firstpost.

Nishant Behl, Founder of Expand My Business, believes that the DPDP bill will not only create an essential framework of trust between individuals and enterprises processing their data but also set explicit norms for accountability and responsible data handling.

“The introduction of the Digital Personal Data Protection Bill It is a promising and welcomed step as it addresses concerns like cross-border data transfer and remedies for unauthorised data processing. This will ensure a more privacy-conscious digital ecosystem and strengthen the regulatory landscape,” he told Firstpost.

Harsh Walia, a partner at Khaitan & Co, one of India’s most prominent corporate law firms, told Firstpost, that this is a pivotal moment for businesses to re-evaluate their data handling practices and proactively embrace the changing data protection landscape.

“Unlike the current law, which primarily focuses on safeguarding a subset of personal data known as ‘sensitive personal data or information,’ the new legislation significantly extends protection to all forms of personal data and imposes additional obligations, restrictions and resultantly, increased costs, for their processing. By proactively adapting to these changes, organizations can not only safeguard themselves from potential penalties but also induce trust and confidence among their customers in the responsible handling of their personal data,” he told Firstpost.

Dr Sanjay Katkar, Joint Managing Director of Quick Heal Technologies Ltd, one of the country’s most prominent online security service provider believes that the DPDP showcases our government’s unwavering commitment to safeguarding personally identifiable information (PII) in this digital age. “It emphasizes responsible data collection, secure backup, and lawful disposal practices for businesses. It is now vital to ensure its effective implementation with proper compliance and regulations. This includes strong measures to enforce penalties for non-compliance. Businesses must take this responsibility seriously and proactively adhere to the bill’s requirements,” he added

Prashant Phillips, Executive Partner, at Lakshmikumaran and Sridharan Attorneys told Firstpost something very interesting, “The Bill is largely aligned with the previous version but has some changes from the previous draft. One of the sections, section 37 provides the Data Protection Board (“Board”) certain advisory powers through which the Board may recommend blocking public access to a computer resource or a platform, raising concerns that such a provision may be utilized for blocking content by the DPB. However, that is not the case,” he said.

“Section 37 provides only advisory powers to the DPB, with the final authority vested with the Central Government,” he added.

Secondly, the Board can only issue such a recommendation from the DPB if the data fiduciary under consideration has been imposed with a monetary fine on more than two instances, he explained. “It may be noted that such penalties are only imposable in instances when core obligations under the Bill have not been met. Only then the Board may advise the CG to block access or limit the functioning of such contravening entities. This may be essential considering that a continuing operation may expose the personal data maintained with the contravening data fiduciary, to risks. As a corollary, it may be gathered that compliant data fiduciaries would not be subject to such blocking.”

The Bill prioritizes security and puts in place robust measures to adapt to the evolving nature of the data economy while safeguarding personal rights, Nitin Singhal, Managing Director, Sinch, told Firstpost. “As a CPaaS provider committed to doing business responsibly, we will execute the proposed framework and continue to leverage our high standards on customers’ personal data processing and security, now with a renewed focus. Sinch will review the final approved bill and evaluate if we need to change any data retention policies. Since we serve banks and financial institutions our operations are already highly secure and certified by relevant auditors.”