In a statement, the Internet and Mobile Association of India (IAMAI) praised the Digital Personal Data Protection Bill (DPDP) as industry-friendly. It has struck the right balance between protecting the data principals’ interests and allowing room for tech start-ups to innovate and grow.

According to the feedback received from the majority of IAMAI members, the reconceptualization of the data protection framework in the DPDP to balance innovation and economic growth with the interests of users will go a long way to assuage concerns of digital businesses and help make India a trillion-dollar digital economy by 2025.

IAMAI, in particular, appreciates the more liberalized framework for cross-border data flows, as well as the exclusion of non-personal data from the DPDP Bill’s scope. IAMAI also appreciates that the Bill imposes only financial penalties for non-compliance as opposed to both financial and criminal penalties.

“By following a deep and wide process of consultation, including that of a joint parliamentary committee, excluding non-essential provisions, making a clear commitment that no Rules exceeding the provisions of the Act would be made, and yet protecting the interests of the state, citizens, and the digital economy, this Bill has possibly set up new standards of law-making,” said Dr. Subho Ray, President, IAMAI, in response to the Bill.

On behalf of its members, the association has asked the government to provide clarifications on the DPDP so that, once enacted, IAMAI members will be more compliant.

There are still questions about the timelines for implementing the various provisions of the Bill, as well as the mechanisms for obtaining verifiable parental consent to process children’s data.

Because the inclusion of specific timelines will provide a roadmap for the industry to better comply with the Bill, IAMAI has requested that the government indicate reasonable timelines by which the various provisions of the DPDP will be implemented and that such timelines be prescribed in a graded manner.

IAMAI has also urged the government to consider a more flexible approach to obtaining parental consent, as prescriptive mandates could have a negative knock-on effect on sectors that provide services to children.

IAMAI is confident that the final version of the law, as a result of consultation and collaboration, will benefit stakeholders who are invested in and committed to India’s digital ecosystem.

The Ministry of Electronics and Information Technology prepared a draft Bill titled the Digital Personal Data Protection Bill 2022 on December 7, 2022, and invited public feedback as part of its public consultation exercise. The draft Bill establishes the rights and duties of the citizen (Digital Nagrik) as well as the Data Fiduciary’s obligations to use the collected data lawfully.

It envisages the establishment of a Data Protection Board of India as part of the compliance framework to determine non-compliance with the provisions of the draft Bill, imposes penalties for such non-compliance, and perform such other functions as the Central Government may assign to it under the provisions of the draft Bill or any law.

Currently, the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011, promulgated by the Central Government in the exercise of its powers under the Information Technology Act 2000, outline the security practices and procedures that a body corporate or any person collecting, receiving, possessing, storing, dealing, or handling information on behalf of the body corporate must follow to protect persons.

These practices and procedures include the requirement that such body corporate or person publish a policy for privacy and disclosure of personal information, data, or information on the website, use information collected for the purpose for which it was collected, keep it secure, and obtain prior permission from the information provider before disclosing personal data.