The Digital Personal Data Protection Bill passed by the Rajya Sabha today is a welcome step. This marks a significant leap forward for India to establish a robust framework for personal data protection and build India as a trusted data destination. Ensuring comprehensive data protection is paramount for accelerating India’s digital economy and the bill strikes a harmonious balance between flexibility and data privacy measures.
Ms. Debjani Ghosh, President, nasscom said, “The passage of the Data Protection Bill by both the houses of the Parliament is a landmark moment. The technology industry and nasscom have been working collaboratively with the government from the start to share insights and industry experiences from global regulations, the India differentiators and provided detailed submissions through the evolution of this Bill”. She further added, “We truly appreciate the consultative approach that engaged all relevant stakeholders at each phase in defining the digital data protection bill and is really looking forward to India having its own Data Protection law. This is a giant step forward towards establishing India as a Trusted Innovation Partner for the world.”
Some of the key recommendations which are reflected in the Bill include:
• Protection of data principals: Concept of purpose limitation and data minimization should be provided in the law. Inclusion of these concepts together with the novel concept of consent manager in the law is welcome and it should empower the users to effectively exercise their rights.
• Export Sector: The law should enhance trust in processing data in India. Processing of foreign data in India should avoid overlaps with the laws of the countries whose data is being processed. Accordingly, the bill provides that companies processing foreign data in India will need to adhere to security safeguards to prevent personal data breaches under the law.
• Start-ups: Obligations should be risk-based so that start-ups and small and medium enterprises are not unduly burdened. The bill provides the power to exempt startups from certain obligations and imposes additional obligations on significant entities. This risk-based framework is welcome.
• Cross-border data transfers: There should not be default data localisation in the law and the approach of whitelisting countries to permit data transfers should be avoided, as it is not practicable. This has been addressed in the bill which now enables the government to provide safeguards without a complex permission-led process.
• Research, Search Engines, AI: Emerging technologies adoption should not get unduly hampered and training of data sets, or operation of search engines should be permitted. The law enables publicly available data to be processed by search engines and training of AI data sets as long as such data is made publicly available by the person to whom it pertains or is made available under any law.
