View from India: Draft bill aims to protect digital personal data

The Digital Personal Data Protection (DPDP) Bill is legislation that will govern the use and protection of personal data in the country. It takes into account the rights and responsibilities of citizens or Digital Nagriks and data fiduciaries. The aim is to ensure lawful and transparent data collection and usage. The draft had been thrown open for public feedback in November 2022, prompting several suggestions for amendments.

Rajeev Chandrasekhar, Union Minister of State for Electronics and Information Technology, has stated that the DPDP Bill will bring about significant behavioural changes among platforms in India, especially in cases that have exploited or misused personal data.

The Bill probably needs to be viewed in its context. We need to go back to 2018 when Justice BN Srikrishna Committee had submitted a draft of the Personal Data Protection (PDP) Bill to the Ministry of Electronics and Information Technology (MeiTY). However, that bill was withdrawn on grounds of being very complicated. From then on, the text has undergone changes and revisions, and the 2023 DPDP draft is the fourth iteration.

In practical terms, let’s try and figure out what DPDP means to the common folk. Through the DPDP Bill, individuals can lawfully seek details about their data collection, storage and processing. The thrust is on the protection of digital data which is personal. So, non-personal data doesn’t call for any regulation. Personal data may be required for a particular purpose, and it needs to be safeguarded. But when it is no longer in use, it should be eliminated.

Let’s look at an example. An individual wants to close a social media account. In this case, all their personal data on that social media platform needs to be fully deleted. The draft of the bill also mandates that if someone closes their bank account, likewise all personal data pertaining to the individual needs to be deleted. 

Media has reported that there will be penalties for noncompliance. This can be understood from the fact that digital services are proliferating across almost all sections of society. Digital tools for data security are doing the rounds. All this is fine, but a law and its framework would probably be better. Consequently, the draft has categorically stated that a penalty of up to 250 crore rupees on entities will be meted out for every instance of violation of norms in the bill.

Another highlight is that data can be stored in trusted geographies and not necessarily in local pockets. It means that cross-border data flows can happen smoothly. With this, trade agreements may be favourable. But then the data flows should take into account data privacy. The encouragement towards cross-border data flows comes at a time when India has set its goal of being a five- trillion-dollar economy by 2024-2025. The digital economy could certainly fuel the growth. Cross-border data exchange facilitates the move towards the Fourth Industrial Revolution. But then such data transfers are prone to cyber-attacks. Naturally the draft has indicated that a regulatory body in the form of the Data Protection Board will be in place.  

Let’s hope DPDP facilitates digital governance and helps in boosting the digital economy of the country. It needs to safeguard personal data as well as ensure that the digital ecosystem functions smoothly.

The bill is scheduled to be introduced in the upcoming monsoon session of the national Parliament, which will be held from 20 July to 11 August 2023.