According to a document dated August 1, 2023 made available today in respect of the list of business scheduled for the Lok Sabha’s coming calendar, the government will introduce an as-yet unreleased Union Cabinet-approved draft of the Digital Personal Data Protection Bill (“DPDP”) in India’s parliament tomorrow.
Despite stiff opposition, a parliamentary standing committee managed to adopt a favorable report on the revised 2023 version of DPDP, tabling it yesterday across both Houses and recommending an expeditious passage into law.
While DPDP is largely modeled on GDPR, India’s bespoke legislation may include a few key changes relative to the EU’s – such as in respect of significant data fiduciaries (“SDFs”), where the government is authorized to classify any entity as an SDF based on its own assessment of factors such as informational sensitivity, volume and the risk of harm.
Our last note on SDF parameters focused on sensitivity alone. Here, we address considerations related to ‘volume’ and ‘harm’, respectively. Since special obligations apply to SDFs (over and above those which all data fiduciaries must comply with), certain procedural aspects of impact assessments, automated processing and individual profiling may follow a GDPR-like template via bespoke regulation, as framed under DPDP later. Further, India’s existing SPDI Rules, as well as past and present legislative proposals, including the proposed Digital India Act and prior DPDP iterations, may provide indicative guidance.