Personal data protection bill 2023: What will change for a normal user? Explained

The Digital Personal Data Protection Bill (DPDPB), 2023, was presented in the Lok Sabha on Thursday. While the Opposition demanded referring it to a standing committee for further review, a voice vote led to the bill being accepted for consideration. Now it will come up for discussions in the house.

Hindustan Times spoke to subject experts to better understand how India's first comprehensive regulation (if passed) for personal digital data will affect stakeholders if passed and implemented in its existing form.

How will normal users get affected post-implementation of the data bill?

Once the Digital Personal Data Protection Bill becomes law, there will be a framework and an ombudsman system to handle data breach problems. But only digital data will be covered, not physical data. This means even taking a picture of data counts. However, if someone only uses paper and never makes it digital, they won't have to follow these rules, no matter how much data they have, says Archana Balasubramanian, partner at Agama Law Associates.

Also, Indian businesses already deal with rules from the US and Europe, so not much will change in how they work, she adds.

Users might notice a few things, like clearer privacy notices, choices to say no, alerts if data is misused, and the right to see and fix data.

For example:

1. Websites and apps will ask for permission before using your data.

2. You'll need to give consent before getting emails or texts for promotions.

3. Once this new law starts, online businesses will tell you about your data and how they use it.

Does the bill place an undue burden on tech companies, especially startups?

Most companies can continue their usual operations with minimal disruption, say experts.

1. Will make companies accountable: "Indian companies have been operating unchecked for a long time. They have been mining data without having any security or privacy obligations, says Mishi Choudhary, founder of Software Freedom Law Center, adding that all businesses must ensure customer security. The bill benefits society.

2. Startups may feel difficulty initially but will get help in the long term: “While larger corporations may already have compliance measures in place, small and medium businesses nationwide may face unique challenges in meeting these requirements,” says Dr. Sanjay Katkar, Jt. Managing Director, Quick Heal and SEQRITE, adding that there will be a work opportunity for security management companies to empower businesses to navigate data protection regulations effectively.

Startups get extra protection if they collect data for research or tech development, says Balasubramanian. She adds, tech and IP-focused firms can now shield trade secrets better, preventing leaks or espionage as accessing employee data for this purpose is seen as employee consent.

According to Akshay Garkel, Partner, Grant Thornton Bharat startups might struggle with data protection due to tight budgets but they can set up strong data management, boosting long-term success and trust.

The Digital Personal Data Protection Bill, 2023: Hits

1. Addresses India's need: “The DPDP Act of India stands on par with the European Union's General Data Protection Regulation (GDPR). Recognising that every country is unique, the DPDP Act is thoughtfully tailored to cater to India's specific requirements and challenges,” says Grant Thornton Bharat's Garkel.

2. Grievance resolution to big quicker: Garkel says with well-defined deadlines for the Data Protection Boards and the Appellate Tribunals, the Act instils hope in swift grievance resolution.

3. Inclusive bill: “Everyone, including the less privileged, illiterate, and vulnerable, will have the opportunity to access their data in English and 22 other regional languages,” Garkel adds.

4. Truly digital: The digital operations and techno-legal measures of the Data Protection Boards are commendable steps, in removing geographical and logistical barriers for complainants and authorities. The infusion of techno-legal systems streamlines processes and minimizes human intervention for more effective complaint handling, he adds.

5. Industry friendly: This is a minimally disruptive law - laws finally being aligned with sectoral laws, recognising processing outside India for Indian subjects and allowing businesses to continue validity based on pre-existing consent - basically retaining the “opt-out” right as opposed to international standards of “Opt-In”, says Agama Law Associates' Balasubramanian.

6. Simple: “It's also lovely to see those illustrations and examples to throw light on the provision - much like the Indian contract act and IPC,” she adds.

7. Special provision for children: “It is heartening to see measures around personal data processing of children especially guiding data fiduciaries to not track or undertake behavioral monitoring or advertising securing their digital privacy,”

The Digital Personal Data Protection Bill, 2023: Misses

1. No distinction between personal data: The distinction between non-sensitive and sensitive personal data, present in earlier drafts, is absent in this bill, experts point out.

ALSO READ - Data protection bill seeks to make regressive amendments to RTI Act: NCPRI

2. Vague: "There are some important aspects that the Bill does not address head-on, but ‘kicks into the long grass’ for rules to be formulated later. These include a ‘blacklist’ mechanism that may impact data transfers to foreign countries," says Vikramjeet Singh, partner, BTG Legal.

3. More power to state: The Bill grants exemptions to the Government and delegates numerous powers to the Executive through Rules, a departure from global data protection norms. “No data Protection Bill in the world does this,” says Software Freedom Law Center's Choudhary.