THE NEWS:

The Indian government on Thursday tabled the Digital Personal Data Protection Bill, 2023 before parliament, aiming to protect privacy and regulate the transfer of personal data within and beyond the country.

The bill introduces significant obligations on businesses collecting data on their own account, called “data fiduciaries,” setting broad rules for data processing, use and retention. It prescribes specific regulations for consent, purpose limitation, data accountability, transparency and accuracy.

The bill also provides specific parental consent requirements for processing data of children, restricting data fiduciaries from tracking or behavioural monitoring, and targeted advertisements directed at children.

In a significant shift in policy, the bill also widens the scope for cross-border data flow and makes relaxations in data localisation requirements.

THE TAKE:

“While the Digital Personal Data Protection Bill 2023 has kept several features of the version released in 2022, one of the standout provisions is the introduction of a negative-list approach for cross-border transfer of personal data. As per this provision, personal data may be transferred to all jurisdictions, unless specifically prohibited. It has also been clarified now that a stricter law on cross-border transfer of personal data (e.g. any relevant sectoral law) will prevail over this new data law.

Another watch-out area for businesses is the hardening stance of ‘consent’ being strictly tied to ‘purpose’. The ‘purpose limitation principle’ is usually not strictly followed by businesses in India. 

Also, the new bill makes data fiduciaries (akin to data controllers) largely responsible for the activities of data processors that they engage. This may require businesses to take a relook at the contractual arrangements that they have with their data processors.”

-  Supratim Chakraborty, partner, Khaitan & Co.