Industry hails passing of historic data protection bill
Leading industry leaders and stakeholders hailed the passing of Digital Personal Data Protection Bill (DPDP) 2023 by the Parliament as it secured the Rajya Sabha's nod on Wednesday, terming it a “watershed moment”.
Nasscom said this marks a significant leap forward for India to establish a robust framework for personal data protection and build India as a trusted data destination.
Ensuring comprehensive data protection is paramount for accelerating India’s digital economy and the bill strikes a harmonious balance between flexibility and data privacy measures, it said.
"The technology industry and Nasscom have been working collaboratively with the government from the start to share insights and industry experiences from global regulations, the India differentiators and provided detailed submissions through the evolution of this Bill," Nasscom President Debjani Ghosh said.
According to some of the key recommendations which are reflected in the Bill, the concept of purpose limitation and data minimisation should be provided in the law.
"The law should enhance trust in processing data in India. Processing of foreign data in India should avoid overlaps with the laws of the countries whose data is being processed," said the IT industry’s apex body.
Accordingly, the bill provides that companies processing foreign data in India will need to adhere to security safeguards to prevent personal data breaches under the law.
"Obligations should be risk-based so that start-ups and small and medium enterprises are not unduly burdened," Nasscom said in a statement.
Sivarama Krishnan, Partner & Leader, Risk Consulting, PwC India, said the DPDP Bill 2023 is a much-needed leap in the right direction as it establishes the rights and duties of ‘Data Principals’, the owners of data, and the obligations and liabilities of ‘Data Fiduciaries’, who collect, store, and process the data.
"The Bill places reasonable obligations on data fiduciaries, ensuring responsible handling of digital personal data. Introduction of consent managers, additional obligations on Significant Data Fiduciary and verifiable parental / guardian consent for are welcome inclusions to bill,” Krishnan said.
Union Telecom Minister Ashwini Vaishnaw moved the Digital Personal Data Protection Bill, 2023 for consideration and passing in the Rajya Sabha after the Lok Sabha had already passed it.
Murali Rao, Cybersecurity Consulting Leader, EY India said that the DPDP Bill is India's first data protection act, and it establishes a framework for the processing of personal data in India.
"As the next steps towards the enforcement journey, a Data Protection Board needs to be set up and rules to be released through separate notifications which could be for specific parts of the law," Rao noted.
Vihang Virkar, Partner, Lumiere Law Partners, said that it is time that India established a robust legal mechanism to protect personal data of its citizens, in line with global standards.
"The current legal framework in India dealing with protection of personal data is formed of an assortment of legal provisions which can be found in various separate legislation. While India is moving rapidly to become a dominant player in the global digital economy, it is important that the existing collage of data protection laws in India be unified into a single statute," Virkar added.