The bill regulates the collection, storage and processing of user data by technology companies, but gives the government more surveillance power.
On Wednesday, August 9, India's Parliament gave final approval to the Digital Personal Data Protection Bill (DPDP). It must now be signed by the country's President Draupadi Murmu.
“This is changing the entire digital economy, so we will take every step with proper checks, proper balance, and proper verification. We must make it a robust mechanism,"
сommunications and information technology minister Ashwini Vaishnaw said.
Some officials said it might take 6-10 months, as an outer limit, to implement the law.
The Bill introduces an obligation for companies collecting personal data from Indians to obtain explicit consent from the user before processing it. There are a number of exceptions, for example, platforms can process personal data without obtaining consent if the data is transferred voluntarily in a number of cases, such as the provision of checks or government services.
The DPDP also provides for restrictions on cross-border data transfers and penalties for companies and institutions for data privacy violations.Proponents of the legislation have long been saying a data protection law is necessary for a country like India where financial fraud and data leaks are rampant, adding that it could act as a crucial step to protect people’s information from commercial and political exploits.
The Bill envisages penalties of up to ₹250 crore ($30 mln) per instance in the case of a data breach, lower than ₹500 crore ($60 mln) proposed in the earlier draft issued in November 2022.
Vikas Kathuria, associate professor, School of Law, BML Munjal University said that in the short run, the Act will increase the compliance burden of smaller forms but with the passage of time, however, such compliance becomes standard.
The main point of contention in the debate on the bill was that the government-appointed Data Protection Board was established with an advisory role, allowing it to suggest blocking public access to specific computer resources or platforms. Such recommendations can be made if the data fiduciary has been subjected to financial penalties on more than two occasions.
The Internet Freedom Foundation, another advocacy group of digital rights, said the law lacks adequate measures to prevent “over-broad surveillance,” whereas the Editors Guild of India said it believes the law will hamper press liberty and weaken the right to information law.
The bill, six years in the making, was abruptly withdrawn last year and a version of it was withdrawn in 2019 after many of its proposals rattled Meta (banned and designated as extremist in Russia), Google and other tech giants, as well as human rights activists.
Sources: Mint, TechCrunch
