The proposed data protection bill will compel companies to review their current ways of working, make investments in new processes and sensitise the workforce in handling personal data, experts said on Thursday.
The bill was introduced in Parliament on Thursday.
Manish Sehgal, Partner at Deloitte India, welcomed the bill, saying that the moment was being waited upon for the past few years.
According to him, non-adherence to the obligation listed in the bill may attract sanctions and commercial penalties as high as Rs 250 crore.
"In view of the bill's extra-territorial coverage, enterprises based outside India serving individuals in India will also be expected to adhere to the provisions of this bill once enacted," he said.
He also said that enterprises will have to review the current ways of working, especially for the personal data of employees, customers, merchants and vendors to honour their right to access, update and erase their personal data.
Advising businesses to be ready for implementing data hygiene practices, he said, "Once the bill will be enacted, transformation is imminent and enterprises should embrace it, not just for compliance purposes but to establish and operate in a privacy-enabled environment." Noted tech author and Founder and Managing Director of Tech Whisperer Jaspreet Bindra said India is one of the very few countries where privacy has been declared to be a fundamental right of its citizens.
He welcomed the proposed formation of the Data Protection Board and the fact that it will be housed by professionals but noted that there will be challenges in its implementation.
"Technology tends to move much faster than regulation and implementing regulation effectively and speedily is a challenge. There are many aspects to GenAI like plagiarism of data, data bias, deep fakes, etc. which would be difficult to track and regulate, given the power and wide distribution of this technology," he pointed out.
Founding Director of technology policy think tank The Dialogue Kazim Rizvi commended several elements in the Bill but sought clarity on some other provisions.
"The 2023 Bill has expanded the provision for the creation of a grievance resolution mechanism to consent managers. This is also a beneficial step, however it will be great that any future rules related to this clause align with other sector-specific regulations for consent managers which will help to avoid regulatory disparity," he said.
" ... it will be further helpful to clarify the mechanisms like binding corporate rules, contractual clauses etc that enterprises may follow to transfer the data," he said on cross-border data.
He also noted that adding "a certain degree of oversight" to law enforcement through the Bill will avoid unrestricted exemption for enterprises, that might otherwise erode accountability.
Digital Personal Data Protection (DPDP) Bill is likely to face numerous challenges like compliance costs, intricate technical measures, and limited awareness among individuals about their data rights, Senior Managing Director of Ankura Consulting Group (India) Amit Jaju said.
"Businesses will be required to make substantial investments in new systems and processes, train their workforce, and appoint data protection officers.
"Individuals may not be fully aware of their rights as outlined in the bill... the efficacy of the bill will hinge upon the Data Protection Authority's ability to enforce its provisions effectively," he noted.
Shahana Chatterji, Partner at Shardul Amarchand Mangaldas and Co, said the Bill is a forward-looking legislation having horizontal application across sectors, and will impact businesses of all sizes.
"The DPDP Bill strikes an important balance in protecting users’ rights and promoting innovation in digital businesses. Its key business-friendly provisions include eliminating criminal penalties for non-compliance, facilitating international data transfers etc.
"It also provides for a comprehensive set of rights guaranteed to data principals which aims to create a transparent and accountable data governance framework going forward," she added.
Kirti Mahapatra, Partner at Shardul Amarchand Mangaldas and Co, exuded confidence in the law, which "will help build new regulatory architecture in the Indian technology sector and growth of a three-trillion-dollar Indian digital economy.” Garima Mitra, Co-Founder of legal advisor Treelife, pointed out challenges in clauses such as the age threshold of 18 years and the amendment of the Right to Information Act.
"Definition of a child is kept at 18 years old with only an enabler for lower age. Currently, the way usage in India is seen, a lot of people under 18 are using apps and giving away their data independently. Hence, a higher threshold of 18 years is merely a formality and enforcement of the same will be challenging," she pointed out.
On the RTI clause, the amendment "highly restricts the scope of the RTI Act to the effect that the public cannot access personal information, even if such information cannot be denied to the parliament or state legislature.
"At times, personal information becomes a crucial part of public monitoring and is an established welfare concept. The proposed amendment cordons off the officials from this public monitoring," Mitra said.
Quick Heal Technologies' Joint Managing Director Sanjay Katkar the bill shows the government's commitment to safeguarding personally identifiable information in the digital age.
Raj Sivaraju, President of APAC region at Arete said the law "maintains the fundamental foundation of our digital society." "The bill's impact on the cyber security sector is profound. It fosters a culture of vigilance, pushing companies to invest in cutting-edge cyber security technologies, threat detection, and incident response capabilities and inspires research and innovation in the cyber security realm," he added.
Nishant Behl, Founder of Expand My Business, said the Bill will ensure a more privacy-conscious digital ecosystem and strengthen the regulatory landscape.
Udit Mehrotra, MD and CEO of Spectra said the Bill serves as a reminder for network security being an "imperative responsibility for companies".
"Safeguarding not only personal information, but also the very infrastructure that holds it, ensures a landscape where trust, innovation, and progress can thrive unhindered," he added.
Legitimate access to customer data is critical to fintech lending for an inclusive digital economy, CEO of Fintech Association for Consumer Empowerment Sugandh Saxena said.
"Digital Personal Data Protection Bill 2023 clarifies and simplifies the rights and obligations of data principles and fiduciary/data processors within an overarching framework for consent, privacy, security, and grievance redressal," he added.