DPDP Bill strikes fine balance between individual’s privacy and business innovation, says industry

Union Minister for Electronics and IT Ashwini Vaishnaw presenting the DPDP Bill in Parliament on August 3

As India was preparing its first legislation on data protection over the last few years, one of the most important concerns was — if it will be able to strike a balance between the individual’s fundamental right to privacy and yet allow innovation to flourish at the same time.

According to industry experts, the Digital Personal Data Protection (DPDP) Bill 2023, tabled in the Parliament on August 3, has been able to achieve this key balance.

They said the legislation has taken into account critical stakeholder feedback and seeks to strike a delicate balance between the fundamental right to privacy guaranteed to Indian citizens, reasonable restrictions associated with such right, business viability, and also the global requirements for being considered an adequate jurisdiction for data processing.

"The DPDP Bill strikes an important balance in protecting users’ rights and promoting innovation in digital businesses. Its key business-friendly provisions include eliminating criminal penalties for non-compliance, facilitating international data transfers etc. On the other hand, it also provides for a comprehensive set of rights guaranteed to data principals which aims to create a transparent and accountable data governance framework going forward," said Shahana Chatterji, Partner at Shardul Amarchand Mangaldas & Co.

To understand the criticality of achieving a balance between the right to privacy and supporting innovation, one needs to take a look at the European Union.

There are around 650 tech unicorn startups in the US. Although the European Union’s economy is about 32 percent smaller, it has only one-fifth the number of unicorns. This is despite the global funding boom of the last few years.

Many in the tech world put the blame of this disparity on the General Data Protection Regulation (GDPR) brought about by the European Union in 2016. It has not only had its intended chilling effect on big tech, but also stifled tech innovation by startups in the region.

"Whatever the privacy benefits of GDPR, they come at substantial costs in foregone innovation," observed a study titled 'GDPR and the lost decade of innovative apps' in the National Bureau of Economic Research last year.

Experts said that while there were quite a few issues with the previous versions of the India's data protection bill, those have been resolved now.

For example, an earlier provision that granted wide exemptions to the government on handling individuals’ personal data under the bill has been done away with.

Although the latest bill retains some of the exemptions for the government to deal with national security issues, disasters like the pandemic and maintain public order, public authorities will be on an even keel with non-governmental organisations and private bodies if there is a data breach.

"The heartening aspect about this piece of legislation is that the Ministry has extensively consulted with all categories of stakeholders and has been receptive to feedback to a large extent, such as lowering the age requirement for seeking parental consent for limited use cases on the basis of a determination to be made by the government," said Shreya Suri, Partner at legal firm IndusLaw.

Another issue that was flagged was that the definition of a child under the bill to mean an individual under the age of 18, and requiring platforms to take parental consent to process children’s data, would not allow businesses to create edtech products for kids. Several industry bodies representing the likes of Google and Meta wanted the age to be brought down to 13.

While the government has stood its ground on the age definition of 18 years, it has sought to address the industry’s concerns by adding a caveat that if the government finds that a platform is safely processing data of a child, then they can be certified to take up children's data processing without consent of their parents, or even take up targeted advertising.

"This lowering of age would be applicable only to those processing activities of businesses which are deemed verifiably safe by the Indian Government. This provision aims to strike a balance between protecting the privacy and data protection rights of children while recognizing the increasing use of the internet by teenagers for various activities. This approach is similar to that of laws in other jurisdictions, such as the EU GDPR," said Supratim Chakraborty, Partner at law firm Khaitan and Company.

The bill mandates that consent for the collection of personal data must meet specific criteria, including being specific, informed, unconditional, unambiguous, and limited to the extent necessary for the specified purpose. It provides that even where consent is obtained for a specified purpose, the consent will only be valid where the processing of personal data is necessary for such specified purpose. This provision has significant implications for businesses as they will now be required to obtain consent for purposes which are necessary for which it is being collected.

"We welcome the Digital Personal Data Protection Bill 2023, as it clarifies and simplifies the rights and obligations of data principles and fiduciary/data processors within an overarching framework for consent, privacy, security, and grievance redressal. It embodies the right of individuals to protect their data and the need to process personal data for lawful purposes. We firmly believe Bill will significantly support building a robust, safe, customer-centric digital lending ecosystem," said Sugandh Saxena, CEO of fintech industry body FACE.