India’s Digital Personal Data Protection Bill Receives Cabinet Approval

In an era dominated by technology and an increasingly interconnected digital landscape, the protection of personal data has emerged as a critical concern. Acknowledging the need for comprehensive legislation to safeguard citizens’ privacy and enhance cybersecurity, India’s Union Cabinet has approved the highly anticipated Digital Personal Data Protection Bill.

The bill would regulate the collection, use, and processing of personal data. It was approved by the Union Cabinet on July 6, 2023, and is currently being considered by the Parliament. This major step along with the recent NSE circular can be considered crucial in further improving the national cyber security posture.

The DPDP defines personal data as any information that can be used to identify an individual, and it sets out several principles for the processing of personal data, such as the requirement for consent, the right to access and correct data, and the right to be forgotten. The bill also establishes the Data Protection Authority of India (DPAI) as a statutory body to oversee the implementation of the law. Failure to follow the rules and regulations of data protection would result in heavy penalties, as mentioned in the bill.

Key Provisions of the New Digital Personal Data Protection Bill

Here are some of the key provisions of the bill:

Consent: Individuals must give their consent before their data can be processed. Consent can be either express or implied.

Data Minimization: Data fiduciaries (companies that collect and process personal data) must only collect the data that is necessary for the specific purpose for which it is being collected.

Data Security: Data fiduciaries must take all reasonable steps to protect the security of personal data.

Data Subject Rights: Individuals have the right to access, correct, delete, and port their data. They also have the right to object to the processing of their data.

Data Protection Authority: The Data Protection Authority of India (DPAI) will be responsible for enforcing the DPDP. The DPAI will have the power to investigate complaints, issue directions, and impose penalties.

The DPDP is a comprehensive and ambitious piece of legislation, and it is expected to have a major impact on the way that businesses collect, use, and share personal data in India.

Heavy Penalties of the New Digital Personal Data Protection Bill

The DPDP sets out several penalties for violations of the law. These penalties range from INR 10,000 to INR 250 crores. The specific penalty will depend on the nature of the violation.

Some of the more serious violations that could result in a high penalty include:

Failing to obtain consent before processing personal data
Failing to take adequate security measures to protect personal data
Failing to notify the Data Protection Authority of India of a data breach
Processing personal data for unauthorized purposes

The bill also provides for criminal penalties for certain violations. These penalties include imprisonment for up to 3 years and/or a fine of up to INR 1 Crore.

The heavy penalties are intended to deter businesses from mishandling personal data. The penalties are also intended to send a message that the government is serious about protecting the privacy of individuals.

Possible Impact of the New Digital Personal Data Protection Bill

Here are some of the possible impacts of the bill on consumers:

Personal Data Control: The bill empowers individuals with unprecedented control over their personal data. This landmark legislation grants individuals a suite of rights, including the right to comprehensive information about the usage of their data, the right to access and rectify it, and even the right to be forgotten.
Robust Privacy Rights: The bill provides individuals with the privilege of data portability, enabling them to seamlessly transition between service providers while retaining control over their data. Moreover, the bill ensures transparency by granting individuals the right to ascertain who has access to their data, empowering them to request modifications or deletions as deemed necessary.
Fortified Data Security: The bill encompasses measures to strengthen data security, notably through the promotion of data localization. This provision mandates that specific categories of sensitive personal data must be stored within India’s borders. The legislation aims to safeguard data from unauthorized access, bolstering its protection.
Promoting Accountability: A key feature of this bill is the establishment of the DPAI, which plays a pivotal role in ensuring compliance with data protection regulations. This regulatory body acts as a watchdog, holding organizations accountable for mishandling or misusing personal data.
Elevating Business Responsibility: This bill brings forth a heightened sense of responsibility for businesses operating in India. Organizations are obligated to adopt robust data protection measures, incorporating privacy-by-design principles into their operations. Additionally, they are required to designate a Data Protection Officer (DPO) to oversee and ensure compliance with data privacy regulations.

With the DPDP bill in place, organizations are compelled to prioritize data protection, demonstrating their commitment to for cyber protection.

Partnering with a CERT-In empanelled security auditor can add a lot of value in terms of maintaining an improved cyber security posture of your organization. Prime Infoserv is always ready to assist you with identifying vulnerabilities as well as providing recommendations to mitigate security gaps and maintain healthy cyber hygiene.