What’s New in India’s Draft Digital Personal Data Protection Bill (DPDPB)

In August 2022, India withdrew its Personal Data Protection Bill (PDPB) from parliamentary consideration. The country’s Joint Committee report proposed over 80 changes to the Bill as it was presented. Rather than address the changes in the existing Bill, the government opted to define new legislation – the Digital Personal Data Protection Bill (DPDPB).

The latest iteration of the DPDPB was released in November 2022. While the new Bill is due to be tabled in Parliament later this year, it’s received criticism from some MPs and members of the Parliamentary Standing Committee for IT. The group has proposed 40 further amendments to address their concerns.

Individuals’ rights to privacy are constitutional rights within India, since the 2017 Puttaswamy judgement. Focused on digital privacy rights alone, the DPDPB and its predecessor are based on principles shared by other global privacy laws, such as the EU’s GDPR, Singapore’s PDPA and Australia’s Privacy Act:

• Lawful, fair and transparent processing
• Limiting the purposes for processing information
• Minimizing the data captured to that which is necessary
• Ensuring the accuracy of information
• Limiting the retention of personal information
• Enforcing accountability

As with other privacy legislation, the DPDPB applies to organizations outside India if they process the digital personal data of its citizens to provide goods and services within the country.

The cross-border aspects of data transfers that contributed to the withdrawal of the previous bill are replaced with an approach that allows the central government to set terms and conditions for such transfers and to which countries.

Some additional requirements are placed on organizations determined ‘significant data fiduciaries’ by the central government. They will need to appoint a data protection officer, perform independent data audits and data protection impact assessments.

Among the more controversial aspects of the Bill, there is no recognition of sensitive personal data — categories of personal information that can be particularly harmful to an individual if they are misused — nor additional provisions for protecting it. The current draft Bill also removes the right to portability and the right to be forgotten from data principals (individuals).

The proposed penalties that can be levied against organizations for any violations of the Bill are limited to 5bn rupees (c. $61m); a change from the 4% of global turnover of the PDPB. Individuals also have responsibilities they must uphold or risk noncompliance penalties under the new law. Misrepresentation, impersonation or failure to provide accurate personal information could lead to a 10,000 rupee fine.

Under the new legislation, a new Data Protection Board (DPB) will be set up to oversee digital personal data protection in India. However, with its reliance on central government for many aspects of the legislation it’s not clear what authority or independence the DPB will have.

For organizations looking to prepare themselves for the upcoming legislation, understanding their data is the best place to start. Ground Labs’ Enterprise Recon PII includes over 300 pre-defined personal data types covering 50+ countries.

To find out how data discovery supports privacy compliance visit https://www.groundlabs.com/compliance/.