The Indian President Droupadi Murmu on Friday granted assent to the Digital Personal Data Protection Bill (DPDPB) after it was unanimously passed by both houses of the parliament last week, marking a significant step towards securing people's information.
"The Bill provides for the processing of digital personal data in a manner that recognizes both the rights of the individuals to protect their personal data and the need to process such personal data for lawful purposes and for matters connected therewith or incidental thereto," the Indian government said.
The long-awaited data protection law comes months after the Ministry of Electronics and Information Technology (MeitY) released a draft version of the bill in November 2022. It has been in the making for over five years, with a first draft released in July 2018. A year before, India's Supreme Court upheld privacy as a fundamental right.
The legislative framework, which applies to personal data collected both online and offline (and subsequently digitized) inside and outside of India, requires that information be processed "only for a lawful purpose upon consent of an individual" and only store what's necessary for the purpose defined.
The requests for explicit consent from users should be accompanied or preceded by a notice to inform the purpose for which the personal data is proposed to be processed. "Personal data" refers to "any data about an individual who is identifiable by or in relation to such data."
Consent, however, is not required for "certain legitimate uses" under which platforms can process personal user data when it is provided voluntarily, for example, by opting to send bills via email. It also waives compliance requirements for certain data fiduciaries, such as startups.
On top of that, processing any personal data of children aged up to 18 years or a person with disability who has a lawful guardian necessitates that companies obtain verifiable consent of their parents or guardians.
"The Bill does not permit processing which is detrimental to well-being of children or involves their tracking, behavioral monitoring, or targeted advertising," the government noted.
That said, the consent can be exempted upon examination of whether a covered entity sufficiently proves the processing of personal data of children is done in a manner that is deemed "verifiably safe" by the government.
Entities in charge of the information are obligated to maintain the accuracy of data, keep data secure, and delete data once its purpose has been met. It also bestows users the right to obtain information, seek correction and erasure, and grievance redressal.
Furthermore, the DPDP Act stipulates the establishment of a Data Protection Board (DPB) comprising members appointed by the government to examine complaints, investigate data breaches, and levy penalties based on the severity, duration, and the "repetitive nature" of the incidents.
"In case of a citizen's data breach, they simply need to visit the website, provide the data protection board with details, and the board will initiate an inquiry, imposing penalties on the breaching platforms," IT minister Rajeev Chandrasekhar said.
Organizations that misuse or fail to safeguard individuals' digital data or notify the DPB of a hack can face monetary fines of up to ₹250 crore ($30.1 million). Decisions of the board can be appealed to the Telecom Disputes Settlement and Appellate Tribunal for review within 60 days.
In what's a relaxation from the earlier draft of the bill, companies that handle personal data can now transfer it to any other country for processing, unless the central government has explicitly prohibited such transfers. Previously, cross-border data transfers were only allowed to a specific set of countries and territories.
A major sticking point is the broad exemption granted to government agencies from adhering to the provisions of the act in the "interest of prevention, detection, investigation or prosecution of any offense or contravention of any law for the time being in force in India."
The lack of autonomy of the DPB notwithstanding, much of the focus has centered around concerns that the exemptions could potentially result in data collection, processing, and retention beyond what is deemed necessary, thereby potentially facilitating increased mass surveillance and government-led invasions of privacy.
Another equally worrying matter is the ability of the government to restrict access to "any information generated, transmitted, received, stored or hosted, in any computer resource" in the interests of the general public, leading to "unbridled censorship of dissenting opinions."
"In its present form, the DPDPB, 2023 does not sufficiently safeguard the Right to Privacy and must not be enacted," the Internet Freedom Foundation said in a statement. "It fails to address many data protection concerns and instead puts in place a regime to facilitate the data processing activities of state and private actors."
