Union Minister Ashwini Vaishnaw announced on Saturday that the Digital Personal Data Protection bill, which was passed by Parliament earlier this week, has now received the assent of the President.
The Digital Personal Data Protection (DPDP) Act seeks to protect the privacy of Indian residents. It proposes to impose fines of up to Rs 250 crore on organizations that misuse or neglect the security of people's digital information.
Some members of the Rajya Sabha demanded further clarification on the absence of mention of privacy, compensation, and harm in the bill. They specifically highlighted concerns about reputational damage from data breaches, particularly those involving women. Other points raised included the potential breach of data originating from foreign countries but processed within India, the need to establish data protection boards in each state to serve as mechanisms for the redressal of complaints, and the importance of preventing data mining by start-ups.
The bill arrives six years after the Supreme Court declared the "Right of Privacy" as a fundamental right. The bill reintroduces the provisions of the initial version of the legislation that was proposed in November of last year, which also includes exemptions for the central authority.
The bill sets out the way companies must process user data and empowers the government to seek information from companies and issue directions to block content based on the recommendation of a data protection board appointed by the Union government. This allows users to correct their personal information.
The bill has been criticized for giving too many exceptions to the Union government. Most state instruments are granted broad exemptions from these requirements, raising concerns about increased oversight. On the other hand, private industry participants praised the bill for relaxing stringent corporate demands, which were more common in the previous version.
The industry is expressing its opinions and concerns regarding the DPDP Bill 2023:
“The Digital Personal Data Protection Act is a welcome step towards strengthening India's cybersecurity posture. The act provides a comprehensive framework for regulating the use of data by private businesses, and it will help protect Indian citizens from cyber threats and other misuse of their digital data. We are pleased that the act includes provisions for data localization, which will ensure that data stays within the country’s borders. This is essential for protecting Indian citizens' privacy and security, and it will also boost job creation within the security space. We look forward to working with the Government of India to implement the act and strengthen cyber security postures within the country.” - Sunil Sharma, Vice President – Sales India and SAARC, Sophos
“The recently passed Digital Personal Data Protection (DPDP) Act by the government of India, is an important legislation that will provide much-needed clarity and certainty for businesses and individuals alike. It will aid in protecting data and privacy, while also promoting innovation and economic growth.
As a global leader in cloud and data management services, NetApp offers solutions that enable enterprises to protect the privacy and security of their customer's data in the most efficient way. We believe that the DPDP Act is a positive step towards ensuring that data is managed responsibly and ethically. We look forward to working with the Government of India, our partners, and all relevant stakeholders to ensure data resiliency across sectors and operations.” - Puneet Gupta, Vice President & Managing Director, NetApp
“It is a moment of pride for us as the Digital Personal Data Protection (DPDP) Bill has been granted the President's assent and made into an Act. This is a major step forward for India in protecting the privacy of its citizens. Fulcrum Digital is committed to complying with the provisions of the Act and ensuring that we handle our customers' data responsibly. The Act sets forth a comprehensive framework for the collection, use, and sharing of personal data in India and empowers individuals to take action against businesses that misuse it. The Act also establishes a Data Protection Authority to enforce the law and protect the privacy of citizens. The passage of the DPDP Act is a major victory for privacy advocates in India. It is a sign that the government is committed to protecting the privacy of its citizens. Fulcrum Digital is looking forward to working in tandem with the government to implement the Act in an effort to respect the citizens it protects and empowers.” - Vaibhav Tare, CISO & Global Head – Cloud & Infrastructure Services, Fulcrum Digital Inc.
“I think the passing of the Digital Personal Data Protection bill by the Rajya Sabha will enable to protect citizens’ personal data and privacy. It will create a framework for responsible and transparent handling of citizens’ data. It also lays down norms for social media intermediaries, cross-border transfer, and accountability of entities processing personal data, thereby significantly impacting several lives. I believe such robust data protection measures are absolutely essential in today’s digital world for fostering trust between businesses and consumers. - Kunal Nagarkatti, CEO, Clover Infotech
In the era of rapid digitization, India's stride towards fortifying data security through the Digital Personal Data Protection Bill, 2023, is both timely and imperative. This bill, informed by global data protection standards, addresses the critical issue of data security. Historically, companies in India have often overlooked security, leading to data breaches. This bill prioritizes the safety of citizen data and necessitates notifying users in the event of a breach.
Beyond legal obligations, data protection is a fundamental right empowering individual to control their personal information. The bill's emphasis on explicit consent for data processing builds trust between users and businesses. With India ranked seventh globally in data breaches, decisive action is necessary. The bill's robust technical measures, including encryption, data localization, and incident response protocols, align with international best practices and enhance accountability through a central Data Protection Board. The bill heralds a transformative era, empowering individuals, fortifying businesses, and aligning India's data protection practices with global benchmarks.” says Anand Prakash, CEO & Founder at PingSafe (a cloud security company).
“We welcome the Data Protection Bill; it is undoubtedly a forward-thinking legislative approach. The bill should be looked upon as a transformation and an opportunity to create a transparent, forthcoming, and accountable data governance framework going forward. In an interconnected world driven by data, safeguarding personal information and maintaining the trust of individuals is paramount. The imperatives of data security and privacy must loom large as India is set to lead the digital revolution in Identity and Payments. Within IDEMIA we have been delivering cutting-edge technologies to the world with the mission to protect the identity of consumers and citizens as both security and privacy constitute the very essence of our identity Technologies”, said Matthew Foxton India Regional President & Executive Vice-President, Branding & Communications at IDEMIA