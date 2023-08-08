The Lok Sabha gave its approval to the digital personal data protection bill, 2023 on Monday (August 7) through a voice vote.

The legislation, in its latest form, maintains the provisions from the initial version introduced last November, including aspects that were raised as concerns by privacy specialists, like exceptions for the central authority. The revised version of the proposed law has additionally granted the central government authority over virtual censorship.

This marks India's second attempt at developing a privacy-oriented legislation, following the government's consideration and abandonment of at least three prior drafts of data protection laws.

The next step involves the Bill's approval by the Rajya Sabha before it can be enacted into law.

The bill, aimed at regulating and safeguarding the use of personal data, was presented by Union Communications, Electronics, and Information Technology Minister Ashwini Vaishnaw.

However, the bill's introduction was met with strong opposition from leaders of the Opposition, who argued that it infringes upon the fundamental right to privacy.

The debate surrounding the bill revolved around concerns raised by the Opposition, including the demand that the bill undergo thorough scrutiny by the standing committee, citing the withdrawal of a previous data protection bill by the government last year.

Minister Vaishnaw defended the bill, asserting that it is not a money bill and that all concerns raised by the Opposition would be addressed during the subsequent debate.

Government's perspective: Safeguarding citizens' rights

While the Opposition voiced its concerns, Minister of State for Electronics and Information Technology, Rajeev Chandrasekhar, took to X (previously Twitter), to emphasise the bill's significance.

He commended the bill as a crucial step towards realising Prime Minister Narendra Modi's vision of establishing global-standard cyber laws for India's thriving digital economy.

Chandrasekhar highlighted that extensive consultations with stakeholders, including citizens, have informed the bill's development. He underlined that the bill, once enacted, would ensure citizens' rights, foster innovation, and enable legitimate government access in scenarios like national security threats and emergencies such as pandemics or earthquakes.

What is the Digital Personal Data Protection Bill ?



Understanding the digital personal data protection bill

The Digital Personal Data Protection (DPDP) Bill is a comprehensive legislative framework designed to delineate the rights and responsibilities of both citizens, referred to as "Digital Nagriks," and data fiduciaries – entities collecting and using personal data.

The bill is founded upon six fundamental principles aimed at governing the data economy.

The first principle underscores that the collection and utilisation of personal data must be lawful, secure against breaches, and transparent.

The second principle emphasises that data collection activities must have a legal purpose, and the collected data should be safeguarded until that purpose is fulfilled.

The third principle advocates for data minimisation, asserting that only pertinent information should be collected, and data usage should adhere to predefined objectives.

The fourth and fifth principles pertain to data protection, accountability, and accuracy. The final principle dictates the protocols for reporting data breaches, stipulating a fair and transparent process to inform Data Protection Boards of such incidents.

Key provisions and proposals of the DPDP bill

The DPDP Bill introduces several significant provisions to ensure data protection, privacy, and accountability:

Consent criteria: The bill mandates that processing personal data requires the explicit and informed consent of the individual, given freely and unambiguously. While consent remains central, a clause of deemed consent addresses situations where explicit consent is not mandatory. Data localisation and cross-border transfer: The bill permits cross-border data flow to specific countries and territories, accompanied by relaxed data localisation requirements, enabling greater flexibility in data handling. Data retention: A Data Protection Board, designed to be digitally proficient, will be established to oversee compliance and impose penalties. Data fiduciaries can retain personal data for business purposes even beyond the initial collection purpose. Penalties for data breaches: In cases of data breaches, the bill proposes substantial penalties. Failure to report a breach to the Data Protection Board and affected individuals could lead to a penalty of ₹200 crore (2,41,53,560.00 US$). Additionally, data fiduciaries or processors failing to ensure reasonable security safeguards could face penalties up to ₹250 crore (3,01,90,875.00 US$). Board-mandated penalties: The Board holds the authority to impose penalties outlined in Schedule 1 of the bill, with each instance not exceeding ₹500 crore (6,03,81,750.00 US$), if non-compliance by an entity is deemed significant.

Scope and applicability of the DPDP bill

The DPDP Bill's scope encompasses the processing of 'Digital Personal Data' within India's borders. It excludes non-personal data and data in non-digital formats from its purview.

The bill applies to digital personal data processing within India and abroad, particularly in cases of profiling or providing goods and services to Indian data subjects.

However, it does not extend to non-automated processing, processing for personal purposes by individuals, or personal data in records over a century old.

The introduction of the Digital Personal Data Protection Bill, 2023, stands as a significant development in India's journey towards a robust digital economy while safeguarding citizens' privacy and data rights.

