In the current data landscape, the need for data-based policies and regulations have seemingly become important. Based on what the last couple of years has seen in terms of data breaches, the Indian government’s passing of the Digital Personal Data Protection Bill (DPDPB), 2023, is considered as a statement. From what it’s understood, the DPDPB upholds the need for processing of digital personal data for protecting individuals’ rights. “I believe data today is pervasive. However, it needs to be managed and handled balancing both commercial business objectives with personal privacy protocols. This is an initiative that is expected to help businesses and individuals,” Subhrangshu Kumar Neogi, co-founder and executive director, Escrowpay, a digital payments platform, told FE TransformX.
The need for DPDPB, 2023
Market experts have suggested that the bill’s importance is to ensure protection of individual privacy privileges and endorsing data management techniques. It’s believed that the bill upholds the need for a significant data fiduciary (SDF), which refers to an entity responsible for processing personal data and related applications. Other entities involved with the DPDPB is a data processor, which is the unit responsible for processing digital personal data for a data fiduciary, and data principal, which refers to those who are owners of the digital personal data.
Factors which are considered important for determining how SDFs should be in India include data capacity, technological mechanisms, income scale, among others. Based on what the bill has focused on, four key principles have been emphasised on, which are information, grievance redressal, nomination, and correction and erasure. “As software systems evolve, these might not have guardrails in place by which consent from data principles are obtained before accessing any digital personal data. Moreover, as the act gets empowered, the data principle to withdraw the consent entities might have to continue to provide the services for the data principle,” Kiran Kalyan Kulkarni, CEO, AyanWorks Technology Solutions P Ltd, an IT company, specified.
Market reports have shown that personal information, belonging to the categories of being offline, non-automated, present in existence for the past 100 years, have not been taken into account in the DPDPB. The bill has highlighted the exclusion of Rs 500 crore worth maximum penalty, along with removal of the 72 hours worth time period for providing information of the crime. Insights from market research have suggested that the bill should impact different sectors, such as human resources, information technology (IT), finance, marketing, information security, among others. Furthermore, the bill is believed to have stressed the point of organisations having data privacy and protection enactment mechanisms with changing times.
DPDPB & GDPR: Differences and Similarities
Going by market reports, common points have been found between the DPDPB and General Data Protection Regulation (GDPR), which refers to guidelines on data protection and security introduced by the European Parliament (EP) and Council of the European Union (EU). It’s believed that the GDPR takes into account six legal factors, along with ‘legitimate interest’ and ‘contractual necessity,’ whereas the DPDP Act considers two legal factors, which are ‘consent’ and ‘legitimate use.’ Upon further understanding, it has been found that as per the DPDP Act, the data fiduciary is required to provide all kinds of information on data breaches to the Data Protection Board and Data Principals. However, GDPR’s guidelines come into action only if the breaches hamper rights and freedoms of data entities. Moreover, GDPR focuses on rights such as objection to processing of personal data and data portability but DPDP Act doesn’t carry such provisions. While GDPR’s Article 30 stresses on tracking the processing of data-based activities and minimisation, the DPDP Act doesn’t carry such provisions.
In terms of similarities between the two acts, GDPR and DPDP Act both focus on applicability towards unnamed information. The drafting of both the acts are based on the same principles of consent, which describe consent as free, specified and informed. In that context, both the acts require consent to be derived in accordance with mentioned laws. Finally, reasons needed to classify a data fiduciary as a SDF, under both GDPR and DPDP Act, follow the same kind of obligations such as appointment of data protection officials. “I think it’s essential to understand the roles carried out because a data controller and a data processor have different responsibilities. Because of this, GDPR and DPDPB have seemingly defined the tasks expected of a data controller or a data processor. The functions and responsibilities of data controllers and processors should be important,” Sujit Patel, MD and CEO, SCS TECH, an information technology (IT) solutions company, stated.
Moreover, insights from market research have shown that while GDPR has developed into a global framework for data protection, DPDPB is yet to establish itself in India. Future predictions indicate that personal data’s protection in India will need the integration of individuals, businesses and the Indian government. “The DPDP Act is considered a pillar in the data protection landscape. It can not only safeguard the interests of consumers but can also promote responsible data-handling practices among businesses, ensuring a secure and trustworthy digital environment for all,”Edul Patel, co-founder and CEO, Mudrex, a crypto-investing platform, concluded.