On August 3, 2023, the Indian Government introduced the Digital Personal Data Protection Bill, 2023 (DPDP Bill) in the Indian Parliament. This marks the fifth version of personal data protection legislation and appears to draw from the draft Bill titled Digital Personal Data Protection Bill, 2022, released by the Ministry of Electronics and Information Technology on November 18, 2022, which underwent public consultations. The DPDP Bill specifically addresses digital personal data and does not encompass non-personal data. Its enactment will replace Section 43A of the Information Technology Act, 2000 (IT Act), as well as the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data of Information) Rules, 2011 (SPDI Rules).

Digital Personal Data Protection Bill 2023 Applicability

• The DPDP Bill exclusively pertains to digital personal data, which includes data collected in digital form or data that is digitized after collection.
• It applies to digital personal data processed outside India if related to offering goods or services to data principals (data subjects) in India.
• The DPDP Bill does not extend to: (i) personal data processed for personal or domestic purposes; or (ii) personal data made publicly available by the data principal or under legal obligation.

Data Protection Principles:

• The DPDP Bill encompasses essential principles:
  • Personal data must be processed solely for a lawful purpose, with the data principal’s consent and in compliance with the DPDP Bill.
  • Only necessary personal data should be collected.

Uniform Treatment of Personal Data:

• The DPDP Bill treats all forms of personal data uniformly and does not differentiate between categories like sensitive or critical personal data. Consequently, the requirements apply equally to all types of personal data, departing from the SPDI Rules that distinguish between ‘personal information’ and ‘sensitive personal data or information’.

Enroll now for UPSC Online Classes

Consent and Notice:

• Consent forms the basis for personal data processing and must be explicit, informed, unconditional, and unambiguous, obtained through affirmative action.
• Data principals can withdraw consent easily without affecting prior lawful processing.
• Notices must inform data principals of their rights, personal data details, purposes of processing, and methods for exercising rights.

Obligations of Data Fiduciaries:

• Data fiduciaries are accountable for DPDP Bill compliance, even when personal data is processed by data processors on their behalf.
• When data fiduciaries process personal data likely to impact the data principal, accuracy and completeness must be ensured.
• Personal data must be deleted when consent is withdrawn or the purpose is no longer relevant, except when retention is legally required.

Notification of Personal Data Breach:

• Data fiduciaries must inform the DPB (Data Protection Board) and affected data principals of personal data breaches.

Cross-Border Data Transfer:

• Data fiduciaries can transfer personal data abroad, except to countries restricted by the Central Government.
• If another law provides more protection or imposes restrictions on cross-border data transfer, that law prevails.

Significant Data Fiduciaries:

• Significant data fiduciaries, identified by the Central Government, face additional obligations like appointing a data protection officer and data auditor.

Data of Children and Persons with Disabilities:

• Processing children’s data requires parental consent. Behavioral monitoring and targeted advertising of children are prohibited.
• The Central Government can exempt certain data fiduciaries and processing purposes from parental consent and monitoring prohibition.

Enroll now for UPSC Online Course

Rights of Data Principals:

• Data principals have rights to access their data, correct it, and nominate someone to exercise rights on their behalf after their death or incapacitation.

Data Protection Board of India (DPB):

• The DPB enforces the DPDP Bill, with authority to impose penalties, inquire into breaches, and issue orders.
• Appeals against DPB orders can be made to the TDSAT and, subsequently, the Supreme Court.

Power to Call for Information and Block Access:

• The Central Government can seek information from the DPB, data fiduciaries, or intermediaries.
• In cases of repeated penalties and public interest, the Central Government can block access to information.

Penalties:

• Monetary penalties up to INR 250 crores may be imposed by the DPB based on breach severity.
• No compensation is provided for compromised personal data.
• Data principals may be penalized up to INR 10,000 for certain breaches of duties.

Voluntary Undertaking:

• The DPB can accept voluntary undertakings from those facing non-compliance actions under the law.

Exemptions:

• Provisions may be exempted for specific purposes and instrumentalities of the State or enforcement of legal rights.
• Data fiduciaries, including startups, can be exempted from certain obligations.

Enroll now for UPSC Online Classes

CURRENT STATUS of Digital Personal Data Protection Bill 2023: The DPDP Bill is currently before the Lok Sabha and awaits further consideration. After clearance by both Houses of Parliament and Presidential assent, it will become law.