Google, Facebook & other tech giants just got a lot of work from Indian govt! Here's what they must do

The Parliament approved the Digital Personal Data Protection Bill (DPDP) on Wednesday, marking a significant milestone as the nation's inaugural legislation aimed at safeguarding personal data. Ashwini Vaishnaw, the Minister of Communications and Information Technology, highlighted that the bill has been crafted to be adaptable to evolving technological concepts, allowing for the inclusion of emerging data ideas without necessitating subsequent amendments.

Vaishnaw revealed that the government has already initiated the groundwork for implementing the bill, and its execution will commence shortly. He highlighted that the rollout process will involve consultations with fiduciaries, ensuring a swift yet cautiously executed implementation.

Once the bill receives presidential assent and is officially notified in the gazette, it will become enforceable law. Notably, the law's enforcement comes six years after the Supreme Court's declaration that privacy is a fundamental right. This achievement marks the bill's successful passage in its second endeavour. The government initially introduced the original bill in 2019, but it was withdrawn last year following recommendations for 81 amendments by the joint parliamentary committee. This comprehensive review led to a complete overhaul of the bill, resulting in its current iteration.

“This is changing the entire digital economy, so we will take every step with proper checks, proper balance, and proper verification. We must make it a robust mechanism," the minister said.

Also Read Hollywood vs AI: Why famous actors including Oppenheimer, Barbie cast are on strike

Homework for big tech and other companies

The proposed legislation mandates that companies enhance their safeguards for digital data obtained from individuals, referred to as 'data fiduciaries' (companies) and 'data principals' (individuals). This entails transparently communicating the nature of collected data and its intended use, designating a Data Protection Officer along with their contact details, and granting users the authority to delete or modify their personal information. 

These stipulations bear resemblance to obligations found in global data protection statutes like the European Union's General Data Protection Regulation.

In instances where companies fail to uphold user data security or neglect disclosure obligations, the Bill suggests fines ranging from Rs 50 crore to Rs 250 crore. It's worth noting that these fines can accumulate, enabling the imposition of multiple fines on a single data fiduciary for each violation.

Additional directives, pertaining to the categorisation of 'significant' data fiduciaries and subjecting them to more rigorous requirements such as data audits and 'Data Protection Impact Assessments', will be communicated by the Union government at a later time.

The bill also introduces the concept of 'consent managers', designated as a centralised interface enabling users to provide, revoke, and manage their consent through an 'accessible, transparent, and interoperable' platform.

Additionally, the legislation requires these consent managers to register with the Data Protection Board and maintain an 'accountable' relationship with users, who are referred to as data principals. Furthermore, the bill grants consent managers the authority to lodge complaints on behalf of users, while also subjecting them to investigation in case of non-compliance with registration mandates.

The bill outlines a comprehensive set of rights and responsibilities for individuals whose data is being processed. Among these provisions, users possess the right to access information about their data processing, request the correction and erasure of personal data, avail grievance resolution mechanisms, and designate a proxy to exercise rights in exceptional situations.

Conversely, data principals are obligated not to submit 'frivolous' complaints and refrain from impersonation or providing false information. Breaching these responsibilities could result in a penalty of up to Rs 10,000 for users who fail to adhere to their designated duties.

Sivarama Krishnan, Partner & Leader, Risk Consulting, PwC India & Leader of APAC Cyber Security & Privacy, PwC said, “India is fast emerging as a leader in the global digital economy, thanks to a range of factors, including the digital initiatives of the Government and the increased digital adoption among consumers. Data is and will remain the key component of this thriving digital economy. The DPDP Bill 2023 is a much-needed leap in the right direction as it establishes the rights and duties of ‘Data Principals’, the owners of data, and the obligations and liabilities of ‘Data Fiduciaries’, who collect, store, and process the data.”

Also Read

Battle of the billionaires: Elon Musk vs Mark Zuckerberg cage match could make over $1 billion

Google appeals to Supreme Court to quash antitrust directives on Android in India