TechTicker Issue 48: Half a decade later, a data protection law is here

On 9th August, the Digital Personal Data Protection Bill, 2023 was finally passed in the Parliament. We’ve waited for over half a decade, broken up with several versions of the bill – and several reports on the bill. Given average attention spans these days – not many things have been this relevant for this long – and rightfully so.

In this edition, we discuss the Digital Personal Data Protection Bill, 2023; the upcoming digital competition law; TRAI’s attempt to regulate OTTs; and a possible cybersecurity bill – among other stories.

The finish line – the new data bill

What stood out? The bill introduces a ‘negative-list’ for cross-border data transfers – allowing data to be transferred to other countries by default – unless the government says NO. Now, data made publicly available by a user or made available under a legal obligation will not be regulated under the bill. Think of all the angry rant blogs you wrote that may not be covered by this bill. As a data principal – you will have the right to withdraw consent, correct data, and grievance redressal. Meanwhile, the bill continues to recognize consent as the primary way for businesses to process data – where businesses must give you a ‘notice’ – and tell you what data they collect and for what purpose.

Notably, it also permits processing for a limited list of ‘legitimate uses’- where consent may not be explicitly needed. Read Nehaa and Sreenidhi’s piece on TOI explaining the possible impact of the bill. Businesses must obtain parental consent to process children’s data. And are prohibited from targeting advertisements to them. The government can exempt certain businesses from this restriction. Read Pallavi’s view on what the provision on children’s data means. The new law will likely be implemented in a phased manner.  Like its previous versions, it continues to empower the central government to make rules on several aspects. Read our primer to understand how to prepare for the bill. Also, here are the other key takeaways of the bill.

The new and unanticipated: Now, the government may block access to a platform – in case of repeated violations. In this context, Aman noted that this is a ‘service-blocking’ provision for businesses non-compliant with the bill – intended as a reasonable restriction on the freedom of trade, rather than on the freedom of speech.

The bill will now be sent to the President for her assent, following which it will become an act. The implementation of the law is subject to notification of timelines by the central government in the official gazette.

Before we leave you with much to think about the bill – here is a fun little game:

Source: Ikigai Law

In case you missed it!

  • Hard days for IT hardware: Starting 01 November 2023 – import of laptops, tablets, all-in-one personal computers, ultra-small form factor computers, and servers will be allowed only with a valid license – except under certain circumstances. This move is part of the Indian government’s strategy to boost domestic manufacturing and address national security concerns around imported IT hardware. Also, government sources shared that applying for an import license will take only 5 minutes, and the license will be valid for one year. The industry, however, is seeking that the implementation of the restriction be pushed by 9-12 months.
  • Whose competition is it but? The Committee on Digital Competition Law is expected to finalize its report on the need for a digital competition law this month. Following concerns raised on the overlap of prospective regulations on the digital economy -the finance minister, Nirmala Sitharaman and minister of state IT, Rajeev Chandrasekhar, clarified that the Digital India Act (“DIA”) will prescribe broad principles on digital competition, with the digital competition law enforcing specific rules for the tech sector. In other news, to regulate the digital economy, the Competition Commission of India established the Digital Markets and Data Unit last month. The unit will be the point of contact for stakeholder engagement on digital markets and examine competition issues.
  • Cybersecurity: The government is likely to notify a cybersecurity bill that may define various aspects of online safety – including what constitutes cyber fraud. The bill may be a part of the DIA or supplement it. It will also have penalties for cyber breaches. The bill is at a pre-drafting stage and is likely to impact businesses and individuals both.
  • The e-commerce policy: The Department for Promotion of Industry and Internal Trade is actively working on the ‘E-commerce Policy 2023’, and it is expected to be released soon.  Draft versions of the policy were released in 2019, and leaked in 2020 and 2021. These iterations – restricted the relationship between e-commerce platforms and its sellers, treated data as a national resource, required e-commerce platforms to proactively monitor counterfeit products, and established a dedicated e-commerce regulator. Some of these themes may re-emerge in the new version.
  • The telecom expectation – A new draft Telecommunication Bill has reportedly been approved by the Union Cabinet. The new iteration is reportedly conceptualised as an umbrella legislation for all forms of communication/ carriage of voice and data. Reports also suggest that the central government has opted for a light-touch licensing regime for OTTs – with the focus being on protecting users, ensuring their safety and building online trust. More information on this new version is awaited. Meanwhile, last month, the Telecom Regulatory Authority of India released a consultation paper seeking views on the possible ways to define, differentiate and regulate OTT communication services. It also looks to assess various methods that can be used to facilitate selective banning of OTT communication services, to avoid complete internet shutdowns.

For more on the topic please reach out to us at

the status quo

Sparking Curiosity...