India’s DPDP Bill 2022-A significant milestone in Data Protection and Privacy

The Union cabinet has given the green light to India's much-needed Digital Personal Data Protection (DPDP) Bill, marking a significant step towards safeguarding our privacy and data security. Once passed by Parliament, this bill will become our country's first-ever legislation dedicated to data privacy and protection. This Bill is anticipated to be presented during the upcoming monsoon session of the Parliament, starting 20th July.

The current version of the bill was published in November last year for public consultation. Some minor changes have been incorporated based on the feedback collected by the Ministry of Electronics and Information Technology during the consultation stage, but more details are awaited. While we closely monitor the developments, it becomes apparent that the DPDP Bill embodies a more streamlined iteration in comparison to its previous drafts.

This bill was necessitated following the Supreme Court's recognition of privacy as a fundamental right in 2017 and ends a six-year-long wait. The journey of this Bill began with the formation of the Justice BN Srikrishna Committee in 2018, which was withdrawn after it received a lot of criticism on grounds of being too complicated and placing certain obligations related to data localisation requirements on industry, among other aspects.

The DPDP Bill introduces some key important features such as:

• Introduces the concept of "deemed consent": alongside explicit consent, where consent is presumed in certain situations including voluntary provision of personal data, performance of legal functions or provision of benefits by the state, compliance with judgments or orders, response to medical emergencies, public health crisis, disaster management, employment-related purposes, prevention of fraud, mergers and acquisitions, network security, credit scoring, and debt recovery.
• User's right to consent management: The Bill introduces the concept of a consent manager, which helps users manage their right to update or delete personal data from their social media platforms.
• Cross-border data transfer: Authorizes the cross-border transfer of personal data to countries or territories notified by the Central Government, considering various aspects while notifying these countries/territories.
• Significant Data Fiduciaries (SDFs): Introduction of the concept of SDFs based on factors such as the volume and sensitivity of personal data processed and the risk of harm to data principals and the state. SDFs are subject to additional obligations and scrutiny.
• Verifiable parental consent: Requirement for data, such as targeted advertising, that is likely to cause harm to children.
• Data Protection Board of India: Establishment of a board responsible for oversight, imposing penalties, and handling complaints. The Bill is expected to provide details regarding the composition and selection process of this Board.
• Penalties for non-compliance: Penalties for different offences range from up to INR 10,000 to up to INR 500 crores. The Bill outlines factors to be considered when determining the penalty.

In an era marked by remarkable development in technology such as Artificial Intelligence, automation, and natural language processing, the DPDP Bill has been the need of the hour. By embodying the fundamental principles of privacy as an inherent right and its affinity to international personal data protection laws, this Bill is a major step towards creating a safer and more responsible digital ecosystem for all.