Digital Personal Data Protection Bill 2023 has set in motion a transformation in India’s data privacy landscape

The Bill protects digital personal data (that is, the data by which a person may be identified) by providing for the following: –

  1. The obligations of Data Fiduciaries (that is, persons, companies and government entities who process data) for data processing (that is, collection, storage or any other operation on personal data);
  2. The rights and duties of Data Principals (that is, the person to whom the data relates);and
  3. Financial penalties for breach of rights, duties and obligations.

The Bill also seeks to achieve the following:

  1. Introduce data protection law with minimum disruption while ensuring necessary change in the way Data Fiduciaries process data;
  2. Enhance the Ease of Living and the Ease of Doing Business; and
  3. Enable India’s digital economy and its innovation ecosystem.

The Bill is based on the following seven principles: 

  1. The principle of consented, lawful and transparent use of personal data;
  2. The principle of purpose limitation (use of personal data only for the purpose specified at the time of obtaining consent of the Data Principal);
  3. The principle of data minimization (collection of only as much personal data as is necessary to serve the specified purpose);
  4. The principle of data accuracy (ensuring data is correct and updated);
  5. The principle of storage limitation (storing data only till it is needed for the specified purpose);
  6. The principle of reasonable security safeguards; and
  7. The principle of accountability (through adjudication of data breaches and breaches of the provisions of the Bill and imposition of penalties for the breaches).

The Bill is concise and SARAL, that is, Simple, Accessible, Rational &Actionable Law as it—

  1. Uses plain language;
  2. Contains illustrations that make the meaning clear;
  3. Contains no provisos (“Provided that…”); and
  4. Has minimal cross-referencing.

Applicability:  The Bill applies to the processing of digital personal data within India where such data is:

  1. Collected online, or
  2. Collected offline and is digitized.
  3. It will also apply to the processing of personal data outside India if it is for offering goods or services in India.

Personal data is defined as any data about an individual who is identifiable by or in relation to such data.

Processing has been defined as wholly or partially automated operation or set of operations performed on digital personal data.  It includes collection, storage, use, and sharing.

Consent:   Personal data may be processed only for a lawful purpose after obtaining the consent of the individual.  A notice must be given before seeking consent.  The notice should contain details about the personal data to be collected and the purpose of processing.  Consent may be withdrawn at any point in time.

Consent will not be required for ‘legitimate uses’ including: (i) specified purpose for which data has been provided by an individual voluntarily, (ii) provision of benefit or service by the government, (iii) medical emergency, and (iv) employment.  For individuals below 18 years of age, consent will be provided by the parent or the legal guardian. Parental consent can be taken via government e-document wallet Digi Locker.  This may increase compliance cost for Social Media.

Rights and duties of data principal:  An individual, whose data is being processed (data principal), will have the right to:

  1. Obtain information about processing,
  2. Seek correction and erasure of personal data,
  3. Nominate another person to exercise rights in the event of death or incapacity, and
  4. Grievance redressal.

Data principals will have certain duties.  They must not

  1. Register a false or frivolous complaint, and
  2. Furnish any false particulars or impersonate another person in specified cases.
  3. Violation of duties will be punishable with a penalty of up to Rs 10,000.

Obligations of data fiduciaries:  The entity, determining the purpose and means of processing, (data fiduciary), must:

  1. Make reasonable efforts to ensure the accuracy and completeness of data,
  2. Build reasonable security safeguards to prevent a data breach,
  3. Inform the Data Protection Board of India and affected persons in the event of a breach, and
  4. Erase personal data as soon as the purpose has been met and retention is not necessary for legal purposes (storage limitation).  In case of government entities, storage limitation and the right of the data principal to erasure will not apply.

Significant data fiduciaries: Certain data fiduciaries may be designated as significant data fiduciaries.  Certain factors must be taken into regard such as:

  1. Volume and sensitivity of personal data processed,
  2. Risks to the rights of data principals,
  3. Security of the state, and
  4. Public order.

These entities will have certain additional obligations including: (i) appointing a data protection officer, and (ii) undertaking impact assessment and compliance audit.

Exemptions:  Rights of the data principal and obligations of data fiduciaries (except data security) will not apply in specified cases.  These include:

  1. Prevention and investigation of offences, and
  2. Enforcement of legal rights or claims.

The central government may, by notification, exempt certain activities from the application of the Bill.  These include:

  1. Processing by government entities in the interest of the security of the state and public order, and
  2. Research, archiving, or statistical purposes.

Processing of personal data of children:  The Data bill defines children as those below 18 years which is above global threshold. While processing the personal data of a child, the data fiduciary must not undertake:

  1. Processing that is likely to cause any detrimental effect on the well-being of the child, and
  2. Tracking, behavioral monitoring, or targeted advertising.

Cross-border transfer:  The Bill allows the transfer of personal data outside India, except to countries restricted by the government through notification.

Data Protection Board of India: The central government will establish the Data Protection Board of India.  Key functions of the Board include:

  1. Monitoring compliance and imposing penalties,
  2. Directing data fiduciaries to take necessary measures in the event of a data breach, and
  3. Hearing grievances made by affected persons.

Board members will be appointed for two years and will be eligible for re-appointment.

Penalties: The schedule to the Bill specifies penalties for various offences such as up to:

  1. Rs 200 crore for non-fulfilment of obligations for children, and
  2. Rs 250 crore for failure to take security measures to prevent data breaches.

Conclusion:

Digital Personal Data Protection Bill 2023 will make Social Media more accountable, boost business of the IT Industry and change the way organizations process data of Indians.  The exemptions that are given to Government under the proposed law are far fewer than what the European privacy law provides.  There are many instances where the global customers of the IT Industry were earlier questioning if India has a proper data protection regime.

This will also make Social Media platform accountable.  They will be bound by the same rules that Indian companies will be bound by.  They will also have to implement measures for protection of personal data of Indians.  Overall, there will be significant behavioral change in the organizations that collect and process data.  Sharing of data, when happens between organizations, will certainly change.

The law is very simple and drafted very neatly.  So, the regulations and rules will be exactly the same way.  There won’t be a multitude of layers of regulations. The implementation structure will be entirely digital and work on the rules and regulation framework has already started.  The rules will also be simple, very straightforward and easy to implement.

References: –

  1. Economic Times dated 10th August and 11th August 2023
  2. Times of India dated 10th August 2023
  3. The Hindus dated 10th August 2023
  4. https://pib.gov.in/PressReleaseIframePage.aspx?PRID=1947264
  5. https://prsindia.org/billtrack/digital-personal-data-protection-bill-2023
  6. Statement by Mr Ashwini Vaishnaw, Minister for Electronics and IT at Rajya Sabha on 9th August 2023

Leave a Reply

Your email address will not be published. Required fields are marked *