India’s Digital Personal Protection Bill is moving full steam ahead as the Union Cabinet has approved the measure. The Bill will be presented during the upcoming monsoon session of India’s Parliament after being in limbo for more than 4 years, first being drafted in 2018 by a special committee headed by Justice B.N. Srikrishna.

Privacy advocates are concerned that the inability to move the Bill along will mean watering down what started out as a strong law regulating data protection, sharing, and storage. Revisions began in 2021 after the draft Bill was presented to the Join Parliamentary Committee, allowing for committee-recommended updates to be incorporated.

It’s not out of the norm, especially for a proposed law that would affect such a large number of consumers and organizations, to be met with resistance. A wave of companies seeking to keep the legislation at bay, or at least friendlier to their operations. Social media and technology companies specifically have rallied against the Digital Personal Protection Bill and it will continue to remain a subject of debate as the monsoon season commences on July 20^th.

Key Elements of India’s Proposed Digital Personal Protection Bill

• Consumer consent
• Data breach notification
• Transparency through policies and notices
• Purpose-based data processing
• Consumer rights
• Data localization

As with many international laws, data localization is a hot topic. In simple terms, data localization requires that organizations keep data in a centralized geographic location rather than spreading it across many jurisdictions, as practiced by many multinational companies. This type of regulation puts a huge monetary and operational cost on organizations that manage data across the globe, hence the resistance to this and other elements of the proposed Bill.

Analysis of Bill’s History & Trajectory

• There were major, major concerns over the extremely strictness of data sovereignty (which was solved earlier) and over abuse of enforcement (using the massive potential fines against companies the gov just doesn’t like  in a disproportionate way
• It is better aligned with GDPR and is likely to achieve adequacy (although it does include some ‘deemed’ consent).
• Definitions of PI, which is defined as “any data about an individual who is identifiable by or in relation to such data,” are more broad (inclusive of offline data and inferred data). There is the concept of data fiduciary, it contains few exemptions, and where data originates or is processed is irrelevant (it still applies if any part is in India).
• The Bill was strongly opposed by companies that don’t usually come out against legislation (for reasons listed above), but this has industry backing as it better allows for reasonable/protected cross-boarded data transfer.
• It looks like it finally has the support to pass as the government by seemingly reaching reasonable compromises and has support from key stakeholders. It is still a very contentious political environment but seems likely to pass by the end of the year.

Truyo President Dan Clarke says, “The impact of this law is extensive, both because it is the most populous country and because almost every company does business in India one way or another.” As the Bill moves its way through the Indian Parliament during the monsoon session, we will keep you apprised of updates and amendments as they become available.