“A Bill to provide for the processing of digital personal data in a manner that recognises both the right of individuals to protect their personal data and the need to process such personal data for lawful purposes and for matters connected therewith or incidental thereto,” the Bill’s text says.
The President of India Droupadi Murmu on Friday granted assent to the Digital Personal Data Protection Bill, 2023 (DPDP Bill) after it was passed by both the houses of the parliament by Voice Vote unanimously.
The Bill provides for the processing of digital personal data in a manner that recognizes both the rights of the individuals to protect their personal data and the need to process such personal data for lawful purposes and for matters connected therewith or incidental thereto.
- The Bill protects digital personal data (that is, the data by which a person may be identified) by providing for the following:
- The obligations of Data Fiduciaries (that is, persons, companies and government entities who process data) for data processing (that is, collection, storage or any other operation on personal data);
- The rights and duties of Data Principals (that is, the person to whom the data relates);and
- Financial penalties for breach of rights, duties and obligations.
- The Bill also seeks to achieve the following:
- Introduce data protection law with minimum disruption while ensuring necessary change in the way Data Fiduciaries process data;
- Enhance the Ease of Living and the Ease of Doing Business; and
- Enable India’s digital economy and its innovation ecosystem.
- Introduce data protection law with minimum disruption while ensuring necessary change in the way Data Fiduciaries process data;
The Bill is based on the following seven principles:
- The principle of consented, lawful and transparent use of personal data;
- The principle of purpose limitation (use of personal data only for the purpose specified at the time of obtaining consent of the Data Principal);
- The principle of data minimisation (collection of only as much personal data as is necessary to serve the specified purpose);
- The principle of data accuracy (ensuring data is correct and updated);
- The principle of storage limitation (storing data only till it is needed for the specified purpose);
- The principle of reasonable security safeguards; and
- The principle of accountability (through adjudication of data breaches and breaches of the provisions of the Bill and imposition of penalties for the breaches).
The Bill has few other innovative features:
The Bill is concise and SARAL, that is, Simple, Accessible, Rational &Actionable Law as it—
- Uses plain language;
- Contains illustrations that make the meaning clear;
- contains no provisos (“Provided that…”); and
- Has minimal cross-referencing.
- By using the word “she” instead of “he”, for the first time it acknowledges women in Parliamentary law-making.
- The Bill provides for following rights to the individuals:
- The right to access information about personal data processed;
- The right to correction and erasure of data;
- The right to grievance redressal; and
- The right to nominate a person to exercise rights in case of death or incapacity.
For enforcing his/her rights, an affected Data Principal may approach the Data Fiduciary in the first instance. In case he/she is not satisfied, he/she can complain against the Data Fiduciary to the Data Protection Board in a hassle-free manner.
- The Bill provides for following obligations on the data fiduciary:
- To have security safeguards to prevent personal data breach;
- To intimate personal data breaches to the affected Data Principal and the Data Protection Board;
- To erase personal data when it is no longer needed for the specified purpose;
- To erase personal data upon withdrawal of consent;
- To have in place grievance redressal system and an officer to respond to queries from Data Principals; and
- To fulfill certain additional obligations in respect of Data Fiduciaries notified as Significant Data Fiduciaries, such as appointing a data auditor and conducting periodic Data Protection Impact Assessment to ensure higher degree of data protection.
- The Bill safeguards the personal data of children also.
- The Bill allows a Data Fiduciary to process the personal data of children only with parental consent.
- The Bill does not permit processing which is detrimental to well-being of children or involves their tracking, behavioural monitoring or targeted advertising.
- The exemptions provided in the Bill are as follows:
- For notified agencies, in the interest of security, sovereignty, public order, etc.;
- For research, archiving or statistical purposes;
- For startups or other notified categories of Data Fiduciaries;
- To enforce legal rights and claims;
- To perform judicial or regulatory functions;
- To prevent, detect, investigate or prosecute offences;
- To process in India personal data of non-residents under foreign contract;
- For approved merger, demerger etc.; and
- To locate defaulters and their financial assets etc.
- The key functions of the Board are as under:
- To give directions for remediating or mitigating data breaches;
- To inquire into data breaches and complaints and impose financial penalties;
- To refer complaints for Alternate Dispute Resolution and to accept Voluntary Undertakings from Data Fiduciaries; and
- To advise the Government to block the website, app etc. of a Data Fiduciary who is found to repeatedly breach the provisions of the Bill.