“This new Bill, after it is passed by Parliament, will protect rights of all citizens, allow innovation economy to expand and permit government’s lawful and legitimate access in national security and emergencies like pandemics and earthquakes,” said minister of state for electronics and information technology Rajeev Chandrasekhar.

The DPDP Bill with global standards, is contemporary, future-ready, yet simple and easy to understand, he said, adding that the Bill was drafted after exhaustive consultations with a multitude of stakeholders.

The Bill envisages penalties of up to ₹250 crore per instance in the case of a data breach, lower than ₹500 crore proposed in the earlier draft issued in November 2022.

The Union Cabinet had approved the Bill last month, which had several changes, including one clause which allows government to direct any government agency, an intermediary or a platform to block or ban any information, in the interest of the general public and after giving an opportunity of being heard to that data fiduciary.

“Every intermediary who receives a direction issued under sub-section (7) shall be bound to comply with the same,” the Bill states.

Legal specialists and observers said the Bill’s scope had been expanded to include semi-automated and mechanical digital data processing. Under general obligation, the terminology and scope of the deemed consent has been changed. The items to be incorporated within the notice have been enhanced, while the requirement for plain and clear text has been removed, some said.

“A class of data fiduciaries or specific functions can be exempted from the additional obligations of processing children’s data, while the provisions are also extended to disabled persons who may or may not be a “Child”. The open-ended determining factor for classifying an entity as significant data fiduciaries has been removed, however, there is less clarity regarding the threshold and clauses have been added where government may prescribe more obligations in future,” said Kazim Rizvi, founder director, The Dialogue.

The new Bill, in a significant departure from the previous version of the draft released on 18 November 2022, introduces a provision that grants the government the authority to lower the age of children, which is currently set at 18 years, for those processing activities of businesses which are deemed verifiably safe by the Indian government, legal and experts said.

The provision of a negative list approach for cross-border transfer of personal data instead of a white-list represents a significant shift in strategy. Based on this approach, the Indian Government will have the ability to regulate and limit the transfer of personal data across borders based on specific criteria set by the Indian government.

“Such power will not override any law that provides for a higher degree of protection for or restriction on transfer of personal data by an entity. The approach adopted by the Indian Government in determining the criteria for the negative list and maintaining harmony between sectoral laws and the Bill will be crucial,” said Supratim Chakraborty, Partner at Khaitan & Co

The Bill also mandates that consent for the collection of personal data must meet specific criteria, including being specific, informed, unconditional, unambiguous, and limited to the extent necessary for the specified purpose. Further, the Bill provides that even where consent is obtained for a specified purpose, the consent will only be valid where the processing of personal data is necessary for such specified purpose. This provision has significant implications for businesses as they will now be required to obtain consent for purposes which are necessary for which it is being collected, Chakraborty added.

The new Bill proposes a tiered grievance redressal mechanism for individuals who will have the option to approach the Data Protection Board of India only after they have exhausted the grievance redressal process enabled by an entity.

He added that the right to access information about personal data comes with an exemption where data fiduciaries can refrain from disclosing the details about data fiduciaries and data processors who have sought the data for law enforcement purposes. However, there are no checks and balances for the exemptions. The provisions related to grievance redressal are extended to consent managers, though harmonising the same with other sectoral regulations would be crucial.

The data protection Bill includes provisions related to the Appellate Tribunal, where TDSAT will handle the hearing of appeals on matters related to data protection, while TDSAT might not have the capacity to deliver the same, some experts suggested.

Updated: 03 Aug 2023, 04:47 PM IST