The Digital Personal Data Protection Bill, 2023 (the “Bill”) as introduced in Lok Sabha on August 3, 2023, intends to govern the processing of personal data, and to put forth the legal framework to deal with data privacy and data protection. The Bill also encourages and assists the development of a digital economy. The Bill defines and underlines terms like ‘consent’, ‘notice’, and ‘legitimate use’. It not only gives individuals the right, but it also tries to raise awareness and build a better comprehension of these concepts through various illustrations.
Some of the relevant provisions of the Bill that need to be highlighted, are summarized as under:
The Bill covers the handling, processing and protection of digital personal data within India, whether obtained online or offline and later digitized. In terms of the Bill, Personal data is any information that can be used to identify or associate an individual. The Bill also applies to the processing of personal data outside of India, when it involves offering products / goods or services within India, and processing operations include collection, storage, use, and sharing of personal data.
- Data Protection Board of India
The Central Government proposes to establish the Data Protection Board of India (the “DPB”) to ensure efficient enforcement and monitoring. Monitoring compliance, implementing sanctions for non-compliance, directing data fiduciaries during data breaches, and handling grievances from affected individuals, are all obligations of the DPB. The Bill further provides that members of DPB would be appointed for two (2) year term, with the option of re-appointment.
- Role of consent
The necessity for legitimate processing, which entails gaining explicit agreement from the individuals whose data is being processed, is a critical intent behind introduction of the Bill. The Bill puts forth an obligation on data fiduciaries to seek express consent from an individual for collection of personal data, after providing clear and thorough information to an individual as to the purpose of the data being gathered, and its processing. It is interesting to note that the Bill extends an enabling right to an individual to revoke his/her consent, at any moment. Consent in case of individuals under the age of 18, can be accorded by the parents or legal guardians, as the case may be.
The Bill however, sets out certain ‘legitimate uses’ of personal data in relation to an individual, where prior consent as aforesaid, would not be necessary.
- Rights and duties of data principals
Individuals whose data is being processed, known as data principals, are provided certain rights to exercise control over their personal information, such as right to obtain information about how the personal data is being processed, right to request rectification or erasure of such data, to appoint representatives to act on his/her behalf in the event of incapacity or death.
The Bill also provides for mechanism for data principles to raise grievances before DPB. However, the Bill provides that data principals must refrain from filing misleading or frivolous complaints, as well as giving inaccurate information or impersonating others. For infringement of the obligations imposed on the data principles, the Bill puts forth a fine of up to INR 10,000 (Ten Thousand).
- Obligations of data fiduciaries
Data fiduciaries, or entities in charge of collection and/or processing personal data, are charged with special duties to protect the data of individuals. The Bill makes it obligatory on part of them to ensure data accuracy and completeness, other than implementation of strong security measures to prevent data breaches. The Bill also provides for the data fiduciaries to notify the DPB and affected individuals in the event of a breach and delete the personal data once the purpose for which it was obtained has been met, and retention is no longer required (storage limitation). Government organizations however are immune from the storage limitation and the right of data principals to erasure.
- Significant Data Fiduciaries
Certain data fiduciaries are designated as significant by the Bill based on factors such as the volume and sensitivity of personal data, potential threats to data principals’ rights, and implications for state security and public order. These significant data fiduciaries have additional responsibilities, such as appointing a data protection officer and conducting impact assessments and compliance audits in relation to personal information and data.
While the Bill aims to protect the rights of data principals rights and fiduciaries’ obligations, there are several exceptions. Distinctly, rights of data principal(s) and obligations of data fiduciary(ies) (with the exception of data security) do not apply in circumstances of offense prevention and investigation, as well as the enforcement of legal rights or claims. Exemptions may also be granted by the Central Government for specialized operations such as processing of personal information and data by Government to ensure security and public order, in addition to collection and assessment of data for research, inspection and statistical assessment.
- Processing of Personal Data of Children
The Bill provides that while dealing with personal data in respect of children, the data fiduciaries must exercise prudence to ensure that it does not have a negative impact on their well-being. Furthermore, the Bill prohibits use of data for tracking, behavioral monitoring, and targeted advertising to children.
- “Cross-Border Transfer”
The Bill enables data fiduciaries to transfer of personal data outside of India, with the exception of countries restricted by the Central Government (via formal notification), from time to time.
The Bill specifies harsh consequences for various violations set out therein. Non-compliance with duties relating to children’s data can result in fines of up to INR 2,000,000,000, while failure to take suitable security measures to prevent data breaches (by data fiduciaries) can result in fines of up to INR 2,500,000,000.
The Bill of 2022 empowered the DPB to impose a hefty penalty of INR 5,000,000,000, whereas the Bill of 2023 have capped it to INR 2,500,000,000. Moreover, the Bill of 2023 provides the Central Government with an excessive amount of power, from the exemptions allowed under the Bill of 2023 to the Central Government’s potential influence in the DPB’s constitution. This does not appear to be consistent with the Puttaswamy judgement which described the proportionality test for privacy laws.
Also, the Bill of 2023 still appears to be a relatively simplified rather than a full and complete privacy regulation. Many unclear and ambiguous terminology are used in the Bill, such as ‘reasonable time’, ‘reasonable security safeguards’, ‘significant breach’, etc. Though, the Bill has the provision of penalties ranging from INR 10,000 to INR 2,500,000,000 for ‘significant breach’, but it is left at the discretion of DPB to decide that what would be construed as ‘significant breach’, as the Bill fails to elaborate on it.
Nonetheless, it would be reasonable to expect that the associated rules (yet to be formulated) will end up shedding light on above.
– Dhruv Gandhi, Partner and Chaitanya Sharma, Associate
Disclaimer: The contents of the above publication are based on interpretation, analysis and understanding of applicable laws and updates in law, within the knowledge of authors. Readers should take steps to ascertain the current developments given the everyday changes that may be occurring in India on internationally on the subject covered hereinabove. These are personal views of authors and do not constitute a legal opinion, analysis or interpretation. This is an initiative to share developments in the world of law or as may be relevant for a reader. No reader should act on the basis of any statement made above without seeking professional and up-to-date legal advice.
 Such as processing data for specific objectives provided willingly by persons, government service provisions, medical situations, and employment.