What is the Digital Personal Data Protection Bill?

‍What is the Digital Personal Data Protection Bill?

The Digital Personal Data Protection Bill aims to provide a comprehensive framework for the protection of personal data and the privacy of individuals in India. The Government of India has been working on a comprehensive data protection law for several years, and the proposed legislation is expected to be introduced in Parliament shortly. The latest version of this bill known as India's Digital Personal Data Protection Bill 2022 is a proposed legislation that aims to regulate the collection, storage, processing, and transfer of personal data of Indian citizens and empower them to have control over their personal data. The bill is modeled after the General Data Protection Regulation (GDPR) of the European Union, which was approved by the European Parliament in April 2016 and came into effect in May 2018.

What is the history of the Digital Personal Data Protection Bill?

In 2017, the Indian government formed a committee to draft a data protection law designed to safeguard the privacy of individuals. The committee submitted a report in 2018, which detailed various principles of data protection, again many of which were inspired by the GDPR, in order to inform the country’s regulatory framework. In 2019, formal legislation was introduced in the Indian Parliament, but it was highly criticized and eventually rescinded by the Indian government with a promise to create a more practical approach to data protection regulation. In 2022, a revised version of the Digital Personal Data Protection Bill 2022  (the “PDPB” or the “Bill”) was introduced in Parliament, which aims to provide strong protection for individuals' personal data while taking into consideration operational impacts. The Bill is yet to be presented, but the goal is for it to be passed by Indian Parliament in the next 2023 session. 

What are the key provisions of the Digital Personal Data Protection Bill?

The PDPB contains several provisions that are aimed at safeguarding the privacy of individuals. Some of the key provisions are:

• Consent: The Bill mandates that personal data can only be collected, processed, or transferred with the individual's explicit consent. The consent should be informed, specific, and voluntary, and the individual should have the right to withdraw it at any time.
• Data Protection Authority: The bill establishes a data protection authority (DPA) to oversee the implementation and enforcement of the Bill. The DPA will have the power to investigate violations of the law, issue penalties, and guide data protection.
• Right to be Forgotten: The bill provides individuals with the right to request the erasure of their data in certain circumstances. This right is limited to personal data that is no longer necessary for the purpose for which it was collected.
• Data Breach Notification: The bill mandates that entities that collect and process personal data must report any data breaches to the DPA and affected individuals.

What will be the impact of the Digital Personal Data Protection Bill 2022 on the Digital Landscape of India?

If the bill achieves its stated goal, it will help foster trust between individuals and the entities that handle personal data. This, in turn, may even lead to greater adoption of digital technologies and a boost for the economy.

The bill is also expected to have an impact on foreign businesses operating in India. The new version of the bill allows for India to evaluate foreign countries’ data protection regimes and then certify those as sufficient to provide destinations for Indian citizens’ data.

What are the challenges faced by companies complying with the Digital Personal Data Protection Bill 2022?

The implementation of the Digital Personal Data Protection Bill 2022 will pose some significant challenges to the business community. The bill mandates compliance with data protection standards, which may require significant changes to existing business processes. Entities will have to invest in data protection infrastructure, which may be a financial burden. The bill's provisions may also conflict with other laws and regulations, such as those related to national security. 

What investments will companies need to make to comply with the Digital Personal Data Protection Bill 2022

Complying with the bill will require significant investment. Businesses operating in the digital ecosystem will need to invest in new technologies and infrastructure to comply with the requirements of the bill. They will also need to hire professionals to ensure that their data processing activities are in line with the provisions of the bill. Businesses will need to conduct a comprehensive audit of their data processing activities to identify any areas of non-compliance. They will then need to implement the necessary changes, which could take a considerable amount of time and effort.  Even something as simple as authenticating employees could be complicated by the bill. 

Are there any criticisms of the Digital Personal Data Protection Bill 2022?

Some human rights groups have argued that while the Digital Personal Data Protection Bill 2022 is a step forward in protecting privacy, it falls short in several areas, such as giving the government too much power and not providing adequate protection for sensitive personal data.

How will the Digital Personal Data Protection Bill 2022 impact individual users?

If passed, the Digital Personal Data Protection Bill 2022 will have a significant and positive impact on individual users. Overnight, individuals will enjoy a host of new rights. Companies handling personal data will be more transparent, especially in the case of data breaches, and individuals will have the “right to be forgotten,” meaning they can request the erasure of their personal data. 

The bill is a step in the right direction toward regulating data protection in India. It is going to give individuals more control over their personal data and ensure that their sensitive personal data is being protected. With the the emphasis on customer identity and authentication, businesses must implement robust data protection measures to comply with the bill. The India Data Protection Bill is going to have a significant impact on individual users, and they must be aware of their rights and take steps to protect their privacy.

How can companies in India prepare for the Digital Personal Data Protection Bill 2022

The Digital Personal Data Protection Bill 2022 has spurred business leaders across industries to reevaluate the way they collect and store their customer’s data. With a renewed appreciation for privacy, security, and frictionless user experiences, a growing number of Indian businesses are going to leverage Proves authentication solutions to strengthen and streamline digital  account access, improve the password reset experience, and even phase out the password altogether. 

What’s wrong with the one-time password (OTP)?

Every day, over 1 billion SMS messages are sent in India. Many of those messages contain OTPs or one-time passwords. Not only do they add friction to the customer journey, but one-time passwords also have significant security vulnerabilities that are regularly exploited by fraudsters via fraudulent SIM swaps. 

Unfortunately, SMS OTPs have contributed to a surge in account takeover fraud: SMS OTPs can be intercepted by bad actors via SIM swap fraud. As a result, they cannot be relied upon for their intended purpose of keeping fraudsters out of online accounts. For example, let’s say a fraudster already has a password to one of your online accounts and is initiating an online transaction on that account that requires an SMS OTP to be sent. By intercepting that SMS OTP, they can easily get the numerical password that was meant to be sent to you and key it in to gain access to your account. In an ironic twist, the SMS OTP that was meant to protect your account actually went to the fraudster, allowing them to access your account. 

How can businesses phase out one-time passwords (OTP)?

Many companies leverage OTP-less multi-factor authentication like Prove Auth™ as a replacement for one-time passwords (OTPs) and other legacy technologies which are expensive and can be easily compromised by fraudsters. Prove Auth™ is a unified authentication solution that leverages identity based binding to minimize customer friction while still keeping fraud at bay. With Prove Auth™, companies can even go passwordless, enabling fast, easy, and secure authentication with on-device biometrics that delights customers and stops fraudsters. 

Related content: Are One-Time Passwords (OTPs) Holding India’s Financial Sector Back?

Final Thoughts 

The Digital Personal Data Protection Bill aims to provide a comprehensive framework for protecting the privacy of individuals in India, regulating the collection, storage, processing, and transfer of personal data. The bill will impact the digital landscape of India, foster trust between individuals and entities, and create a level playing field for businesses. However, complying with the bill's provisions will pose some challenges to the business community, such as financial investments and finding a balance between data protection and national security. Companies will need to invest in new technologies and infrastructure, hire professionals to ensure compliance and implement the necessary changes. Fortunately, new technologies like Prove Auth™ can help make this transition streamlined.