India’s Data Privacy Bill and its Impact on Crypto Industry
- The DPDP Act 2023 introduces many new provisions, rules, roles, and mandates for the data collecting companies to follow and is likely to change the industry for goods.
- The new rules also aim to regulate the transfer of personal data outside India and include requirements for storing data within India.
- Most of the exchanges and crypto wallet services in India have user data in the forms of KYC and other user behavior data which they use to customize the experiences for their customers.
Government of India is Going to Implement the Data Protection Bill
Digital privacy, a term that did not exist when social media entered our lives, now has become a serious concern for society. Big data companies not only 'can' but 'are' manipulating their users' decision-making based on the patterns derived from their interactions with their services.
Regulating the use of users' data has become the need of the hour and to tackle this, the Government of India is going to implement the Digital Privacy and Data Protection Bill 2023. The new bill establishes a robust legal framework for digital data privacy, focusing on individuals having control over their data.
Will it affect the crypto industry? Yes, and in the story ahead we are going to cover that in detail. But before that, let's understand what is India's new DPDP bill 2023 and how it impact our lives.
India’s Road to Digital Privacy
This act was long required to safeguard consumer rights and instill trust in digital services, thereby enhancing user confidence. Aligning India with global data protection standards creates a conducive environment for digital innovation and economic growth.
The journey of India’s Digital Privacy Bill started in 2017, as KS Puttaswamy’s judgment reiterated privacy as a fundamental right for Indian citizens, leading to the draft of the Privacy and Data Protection Bill 2019 being introduced in Parliament.
This was followed by the Presidential nod to make this an act and forwarded to a committee under the Chairmanship of Justice Shikrishna which shared the report along with a draft of the PDP Act, 2018.
The bill was later referred to the Joint Parliamentary Committee (JPC) for further brainstorming and incorporating the suggestions of the matter experts. After the JPC's report, a new version of the act was released in December 2021.
Following this, the Ministry of Electronics and Information Technology released a new draft of the Digital Personal Data Protection Bill (DPDPB) for public consultation in November 2022 leading to a final approval of the Union Cabinet approval in 2023.
The bill was finally approved by the President of India to make Digital Personal Data Protection (DPDP) bill, an act.
Key points of DPDP Act 2023
The DPDP Act 2023 introduces many new provisions, rules, roles, and mandates for the data collecting companies to follow and is likely to change the industry for goods. Here are some of the key points which
The bill explicitly clarifies key terms like "data", "personal data", "Data Fiduciary", and "Data Processor" to remove any confusion or miscommunication in any formal dealings.
The bill also outlines the applicability of the rules in the context of digital personal data within and outside India.
The bill shares the details of the lawful purposes and consent requirements for data processing by the companies.
The new DPDP bill also mandates fiduciaries to comply with provisions and secure personal data. It also includes rights to access, correction, and deletion of personal data.
It also defines the appointments and responsibilities of the Consent Managers in handling the personal data of the company's users.
The bill proposes to establish the Data Protection Board of India, a regulatory authority for the personal data protection of Indians.
The bill specifies penalties for non-compliance and compensation for harm along with the situations and circumstances under which the Act's provisions do not apply.
The new rules also aim to regulate the transfer of personal data outside India and include requirements for storing data within India.
The government is also going to make special considerations for processing children’s data and other sensitive groups a mandate in the coming days.
Additionally, the act holds businesses accountable for data management, underlining responsible data handling. It also provides legal clarity for entities processing personal data, mitigating legal uncertainties.
Importantly, the act includes provisions that protect national interests and security, balancing individual privacy rights with broader societal needs.
Impact on the Crypto Industry
India is strong on the world crypto map with over 200 million users across the different spectrums of the Web 3.0 space. The new DPDP bill is also going to impact the operations of crypto businesses in the country and here’s how it will do it.
Localizing user data
Most of the exchanges and crypto wallet services in India have user data in the forms of KYC and other user behavior data which they use to customize the experiences for their customers.
Most of the time, the data managed by these companies are stored in international servers and not necessarily in India. However, the new bill's data localization norms will require crypto exchanges and wallets to store data within India which can impact the way they operate in the country.
Handling data
Apart from the data localisation norms, the crypto companies like other tech businesses will be forced to reassess the ways in which they handle the user data. The act makes it mandatory for companies to obtain consent from the users when it comes to using their data.
Traceability of transactions
The new bill empowers the user to decide how long they want their data to be with the service provider which means that companies will no longer withhold the user data as long as they want and use it as they deem fit. The crypto exchanges which store all KYC details for their customers along with a track of the transactions conducted from an account, will have to rebuild mechanisms to enable users to execute their power for data erasure.
Cross-border data transfer
Even though no rules have been particularly mentioned for blockchain businesses, the international crypto companies that transfer their user data to their global servers will have to re-evaluate their strategy. Apart from this, this could also impact the way in which crypto exchanges are used to conduct cross-border transactions. Businesses will also be obligated to appoint new 'Consent Managers' which will increase the transparency and compliance in the industry.
