Data Privacy Newsletter – India: Revamping Privacy and Technology Laws in 2023: July 2023

India’s new privacy regulations are soon to be tabled before the Parliament

In the first week of July 2023, India’s Union Cabinet approved a version of the Digital Personal Data Protection (“DPDP”) Bill.  The Bill is now set to be introduced in Parliament for discussion during the monsoon session starting July 20th, 2023.

The DPDP Bill sets up a regulatory framework for handling/ processing ‘Digital Personal Data’ of Indian residents and imposes detailed obligations and compliances for businesses and entities processing personal information in India. In this newsletter, we will discuss the major changes in India’s privacy landscape and data protection laws.

Existing Information Technology Act, 2000 

The Information Technology Act, 2000, (“IT Act”), which was drafted in the early days of the Internet, with a limited mandate to regulate electronic records, transactions, and digital signatures, continues to be the principal legislation governing technology. The IT Act has certain limitations especially when it comes to addressing regulatory requirements for emerging technologies, internet-based services, E-commerce, and social media platform.

The Indian Privacy Rules of 2011

As the technology grew in leaps and bounds the IT Act, over time required multiple amendments and additional rules to address the evolving issues with technological development. The Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011 (“Privacy Rules 2011”) under the IT Act, was the first regulation to define personal data and sensitive personal data. The SPDI Rules regulate the processing of personal and sensitive personal data, security practices and procedures, data transfers, and the data subject’s rights. 

6 Hour Incident Reporting under CERT-In Directions of 2022

The Indian Computer Emergency Response Team (“CERT-In”), the national agency for handling cyber security incidents issued Directions dated 28 April 2022 (“Directions”), stating information security practices, procedures, prevention, response and reporting of cyber incidents. The CERT-In Directions are the forerunners of the upcoming regulations in the privacy and technology landscape for India.

Significance of the DPDP Bill

1. The current regulatory framework was designed for a pre-digital India and is 2 decades old. The framework is inadequate compared to today’s technology developments and privacy concerns, therefore, the DPDP Bill is necessary. The Government of India withdrew the Personal Data Protection (“PDP”) Bill, owing to the multiple recommendations it received via public consultation. Therefore, a fresh draft of legislation was necessary, which came in the form of the DPDP Bill.
2. The DPDP Bill draft is based on 7 principles of data protection, including lawfulness, fairness, transparency, purpose limitation, data minimization, accuracy, storage limitation, integrity, confidentiality (security), and accountability. In its drafted form, the DPDP Bill primarily outlines the rights and responsibilities of individuals (referred to as “Data Principal”) and the obligations of the organizations that determine the purpose and means of personal data processing (“Data Fiduciary”). Additionally, the DPDP Bill proposes the establishment of a Data Protection Board of India, responsible for enforcing compliance with the provisions and imposing penalties for non-compliance.
3. The proposed Data Protection Board of India will function as the independent supervisory and adjudicatory authority for all stakeholders. It will be responsible for the enforcement of provisions and levying penalties and fines. For each instance of non-compliance, the DPDP Bill has proposed a fine of up to INR 10,000 for an individual and up to INR 500 crores for an organization.
4. The PDP Bill (now withdrawn) had a specific requirement of storing data within India and certain provisions for cross-border transfer of data with prior consent. However, the DPDP Bill has done away with the specific data localization requirement and eased the cross-border data transfer regulations, allowing businesses to transfer personal data to other countries that are notified by the Central Government.
5. The DPDP Bill is crucial as it aligns India’s data protection laws with the free flow of data and globalization in technology. It balances the need to protect privacy with fostering innovation and economic growth. Additionally, it addresses issues like data sharing across borders and allows data transfers to specific countries, which can promote international cooperation and trade.
6. The DPDP Bill is a key legislation that addresses the shortcomings of the current regulatory framework and brings India’s data protection laws into the digital era. The establishment of the Data Protection Board of India further strengthens the regulatory landscape, providing an independent authority to enforce provisions and impose penalties for non-compliance. In essence, the DPDP Bill is a significant milestone in shaping India’s data protection landscape. It is essential that organisations make revisions to their internal frameworks to incorporate and comply with the requirements of the new legislation.

Proposed Digital India Act, 2023

1. By the year 2025-26, India aims to become a $1 trillion digital economy and a global hub for innovation and entrepreneurship system. In the years to come, India will play a key role in shaping the future of technologies and become a trusted player in global value chains for digital products, devices, platforms and solutions. With the goal of becoming a global digital economy, there is a need for a new regulatory framework to address challenges in today’s digital India which are beyond the scope of the IT Act.
2. Recently, there have been discussions around a completely new legislation called the Digital India Act (“DIA”) to replace the IT Act, the Privacy Rules 2011 and all other regulations thereunder. This new legislation will be drafted with the intent to make it a future-ready law which will regulate current and emerging technologies such as Artificial Intelligence, machine learning, quantum computing, Blockchain and Web 3.0.
3. The DIA will also consist of the Digital Personal Data Protection Bill, the DIA rules, the National Data Governance Policy, and the Indian Penal Code amendments as may be necessary. With more than 850 million internet users, India is also the world’s largest “digitally connected democracy”. The IT Act and regulations thereunder were created for pre-digital India and lack provisions for user rights, trust, safety, and modern cyber threats. Therefore, creating a need for a DIA for India.
4. The proposed Digital India Act must be evolvable and consistent with the development of technologies and global standards. The DIA has certain key components, the first being an open Internet providing for choice, competition, online diversity, fair market access and ease of doing business, and ease of compliance for startups. Secondly, the DIA proposes online safety and trust, to safeguard users against cyber threats defamation, and cyberbullying and protect minors from any kind of abuse. Thirdly, the DIA has provided KYC requirements for devices which could threaten the privacy of an individual. Lastly, the DIA promotes digital governance, including easy access to government and public utility services, and delivery of public services through digital platforms in a citizen-friendly manner.
5. The DIA will act as a catalyst and an enabler for India to achieve the goal of $1 trillion digital economy. The proposed DIA will act as a parent framework/instrument between the respective authorities, the provisions of the Digital Personal Data Protection Act (when passed), the National Data Governance Policy, the amendments to various IPC and other laws.
6. The Government of India is yet to provide a detailed timeline for rolling out a draft bill to implement the DIA. The Government plans to study global laws and practices and consult with industry experts and the members of the public.
7. The draft bill will undergo consultation from various industry experts and only then be released to the public and further tabled in the Parliament for discussion. As the Government is set to adopt a Digital India Act, organisations should gear up for this future-ready law and be proactive in adapting their practices, strategies, operations, and compliance measures to thrive in India’s digital future.