The draft Digital Personal Data Protection Bill, 2022 did not consider several critical issues such as the regulation of hardware and devices and localisation of data with retrospective effect, which have been opposed by the global tech giants.
Abhishek Malhotra (managing partner, TMT Law Practice) said: “The draft Bill has watered down the objective of a data privacy and protection framework. It appears to give a simpler framework for people to be able to adopt seamlessly.”
“Unfortunately, however, the scope and applicability provisions have also been curtailed and limited to where the collection is online or digitised and where Indians are targeted for profiling. This is a departure from where the focus was on the entities, their activities and their presence,” Malhotra said.
The hardware regulation was dropped as its scope was too large and prone to misuse, allegation and counter-allegations and legal disputes, sources said. The new draft replaces the Personal Data Protection Bill, 2019, which was withdrawn by the government.
The older Bill mandated monitoring, testing and certification of hardware devices by the Data Protection Authority (DPA). This would have required DPA to be armed with specific technical expertise.
Besides, it would have created an additional layer of compliance that had potential to delay commercial access of hardware in the Indian market and create unreasonable responsibility on data fiduciaries for security of data on a consumer’s device.
“The draft Bill has simplified the proposed data protection regime and done away with some contentious clauses which caused industry pushback in earlier versions. Particularly, data mirroring, data localisation requirements and overall compliances appear to be limited compared to the previous Bill,” Rupinder Malik, partner, JSA said.
Prashant Phillips, partner, Lakshmikumaran and Sridharan Attorneys, said: “The Bill continues to retain significant penalties for non-compliance. Compliance with consent must remain a high priority for all companies processing personal data. This is especially when distinctions such as sensitive and critical personal data have not been included in the Bill.
“The new Bill also differs from the 2019 Bill on certain points such as categorisation of personal data further into sensitive personal data and critical personal data, which has been done away with now. That being said, as widely anticipated, the bill provides for stringent financial penalties for up to Rs 500 crores for certain non-compliances,” Sumantra Bose, principal associate at Khaitan & Co said.