The Digital Personal Data Protection Bill 2023 – the fifth iteration of India’s efforts to formulate a personal data protection law- has been tabled in the Parliament on 3rd August, 2023, and it brings some key changes compared to the 2022 iteration. The bill aims to balance individual rights with lawful data processing in the digital realm. It outlines guidelines for data users, responsibilities for businesses handling personal information, and aims to ensure lawful, transparent, and ethical data processing while promoting digital economy growth.

The DPDP Bill is built on six principles: lawful and transparent data collection, specific purpose data usage, data minimization, data protection and accountability, data accuracy, and reporting data breaches. It applies to digital personal data processing in India and extraterritorially, emphasizing consent and introducing explicit consent for minors. It establishes the Data Protection Board of India, granting regulatory power over data processing.

Positive aspects of the bill include privacy safeguards and promoting transparency, but concerns arise over government powers and lack of remedies for privacy violations. Despite its strengths, further refinement is needed. The bill encourages innovation, eliminates criminal penalties, and empowers the government to exempt certain businesses.

Key Benefits of the Digital Personal Data Protection Bill 2023

In summary, the DPDP Bill aims to balance data protection and growth, setting guidelines for data processing while addressing concerns and promoting transparency in India’s digital future. Few key benefits are as follows:

1. Greater Control: The bill gives you more control over your personal data. You have the right to know how your data is being used, the right to access and rectify it, and even the right to be forgotten. Your consent is crucial, ensuring that companies cannot use your data without your explicit permission.

2. Enhanced Privacy Rights: The bill empowers you with enhanced privacy rights. You can request the portability of your data, allowing you to switch between service providers seamlessly. Additionally, you have the right to know who has access to your data and can request changes or deletions as needed.

3. Strengthened Security: The legislation promotes data localization, meaning that certain sensitive personal data must be stored within India. This measure helps protect your data from unauthorized access and ensures it remains within the country’s jurisdiction, increasing your security.

4. Accountability: The bill establishes the Data Protection Authority of India (DPAI) to ensure compliance. Organizations that mishandle or misuse your data can face penalties, fostering accountability and encouraging companies to prioritize data protection.

5. Business Responsibility: With this bill in place, organizations must implement robust data protection measures, adhere to privacy-by-design principles, and appoint a Data Protection Officer. This commitment to data privacy enhances your trust in businesses and their responsibility to protect your information.

The Indian Data Protection Bill is a win for consumers, empowering you with greater control, enhanced privacy rights, and strengthened security. Your data privacy matters, and this legislation is a significant step towards safeguarding it.

Digital Personal Data Protection Bill 2023 in a Nutshell

Here’s a summary of the main points:

• Scope: The Bill applies to personal data collected in digital form or digitized non-digital data, with a clear and narrower list of exemptions.
• Notice and Consent: Data fiduciaries must provide a notice containing the purpose and description of data processing while obtaining consent. Consent should be free, specific, informed, and unambiguous.
• Grounds of Processing: The 2023 Bill introduces “legitimate uses” instead of “deemed consent” for non-consent-based processing and provides a narrow list of legitimate uses.
• Obligations of Data Fiduciaries: Data fiduciaries must establish grievance redressal mechanisms, ensure data accuracy, and report data breaches to the Data Protection Board (DPB) and users.
• Children’s Data: The Bill retains the definition of a ‘child’ – an individual below 18 years. Data fiduciaries must obtain ‘verifiable’ parental consent for processing children’s data and avoid detrimental effects on their well-being. The government can exempt certain data fiduciaries and processing from parental consent requirements.
• Rights of Data Principal: Data principals have rights to seek information, correct or erase personal data, and nominate someone to exercise their rights on their behalf.
• Cross-border Data Transfers: The Bill moves from a white-list approach to a negative list for data transfers.
• Data Protection Board: The DPB continues as an adjudicatory and enforcement body with new powers, and the government has control over its composition and operations.
• Blocking Power and Government’s Right to Call for Information: The central government or an authorized officer can order blocking of data fiduciary’s platform, and the government can call for information from the Board or any data fiduciary or intermediary.
• Exemptions: The Bill provides exemptions for data processing in certain scenarios, like investigation of offences, implementation of schemes, or processing data of data principals outside India under a contract.
• Penalties: The DPB can issue monetary penalties up to INR 250 crore for non-compliance.
• Rules and Implementation: The government has broad powers to make rules on various aspects, and the implementation will happen in stages, with no specific timelines yet.

The DPDP Bill is a comprehensive piece of legislation that will help to protect the privacy of individuals in India. The Bill is still under consideration by the Parliament, but it is a step in the right direction and it is likely to be enacted in the near future.

As a CERT-In Empanelled Auditor, Prime Infoserv is committed to ensure data security, privacy for our customers. In case you need any further inputs or support to safeguard your enterprise in line with DPDP Bill, may connect us at info@primeinfoserv.com or +9133 4008 5677.