India: The Digital Personal Data Protection Bill Draft
India Data Protection Bill
India : Draft of the
“Digital Personal Data Protection Bill”
19 January 2023
In India, the Union ministry for electronics and technology (MeitY) proposed a new data protection law, the Digital Personal Data Protection Bill (DPDP). Mid-November, this draft was submitted for public consultation before introducing the measure in parliament and should incorporate feedback from the civil society, stakeholders and from digital rights experts. Now, MeitY is in the process of gathering and analyzing the comments and suggestions received, in order to move the bill forward. However, the government has not communicated the precise timetable.
Adequate Protections for Children
The Digital Personal Data Protection Bill is the latest attempt by the Bharatiya Janata Party (BJP)-led central government to enact India’s first data privacy law, after a previous version, introduced in parliament in December 2019, was dropped in August 2022. Opposition lawmakers, technology companies, and advocacy groups criticized the earlier data protection bill, but the current draft also fails to address their key concerns, including not providing adequate protections for children.
Indeed, the DPDP Bill defines a child under Clause 2(3) as someone below the age of 18 years. Clause 10 of the Bill contains obligations for data fiduciaries such as Google, Apple, Meta to obtain verifiable parental consent; not undertake tracking or behavioral monitoring of children and not target advertisements at them.
Big Tech has sought revision in the definition of a child under the DPDP Bill to mean an individual under the age of 13, a re-look at provisions to facilitate cross-border data transfer and around two years of a transition period for the implementation of this legislation, among others.
Contractual cross-border transfer of data
Additionally, the two major organizations representing big tech (Asia Internet Coalition and Business Software Alliance) have asked for more clarity on Clause 17 of the DPDP Bill, which governs the transfer of all forms of personal data outside India. The Bill says the data can be transferred to countries which the government allows (a white-list approach).
AIC and BSA urged MeitY to provide a “negative list of countries” where personal data cannot be transferred and suggested that the Bill — other than the white-list approach—should have an accountability model.
Both BSA and AIC also suggested that the Bill should be revised to state that cross-border transfer data will be permitted anywhere for contractual purposes.
Time period of implementation
The Bill states that different provisions may come into force on different dates. However, Big Tech is concerned with the lack of clarity on the timeline for the implementation of its various provisions.
As mentioned at the beginning of the article, the Indian Ministry did not suggest any specific timeline.