The Digital Personal Data Protection Bill 2023 seeks to establish a robust framework for the protection of personal data in the digital realm. It was passed in the Lok Sabha on Monday.
The schedule to the Bill specifies penalties for various offences such as up to: (i) Rs 200 crore for non-fulfilment of obligations for children, and (ii) Rs 250 crore for failure to take security measures to prevent data breaches. Penalties will be imposed by the Data Protection Board of India after conducting an inquiry.
The central government will establish the Data Protection Board of India. Key functions of the Board include: (i) monitoring compliance and imposing penalties, (ii) directing data fiduciaries to take necessary measures in the event of a data breach, and (iii) hearing grievances made by affected persons. Board members will be appointed for two years and will be eligible for re-appointment.
The central government will prescribe details such as the number of members of the Board and the selection process. Appeals against the decisions of the Board will lie with TDSAT.
Background
Currently, India does not have a standalone law on data protection. Use of personal data is regulated under the Information Technology (IT) Act, 2000. In 2017, the central government constituted a Committee of Experts on Data Protection, chaired by Justice B. N. Srikrishna, to examine issues relating to data protection in the country. The Committee submitted its report in July 2018.
Based on the recommendations of the Committee, the Personal Data Protection Bill, 2019 was introduced in Lok Sabha in December 2019. The Bill was referred to a Joint Parliamentary Committee which submitted its report in December 2021.2 In August 2022, the Bill was withdrawn from Parliament. In November 2022, a Draft Bill was released for public consultation.[6] In August 2023, the Digital Personal Data Protection Bill, 2023 was introduced in Parliament.
Highlights of the Bill
The Bill will apply to the processing of digital personal data within India where such data is collected online, or collected offline and is digitised. It will also apply to such processing outside India, if it is for offering goods or services in India.
Personal data may be processed only for a lawful purpose upon consent of an individual. Consent may not be required for specified legitimate uses such as voluntary sharing of data by the individual or processing by the State for permits, licenses, benefits, and services.
Data fiduciaries will be obligated to maintain the accuracy of data, keep data secure, and delete data once its purpose has been met.
The Bill grants certain rights to individuals including the right to obtain information, seek correction and erasure, and grievance redressal.
The central government may exempt government agencies from the application of provisions of the Bill in the interest of specified grounds such as security of the state, public order, and prevention of offences.
The central government will establish the Data Protection Board of India to adjudicate on non-compliance with the provisions of the Bill.
Key Issues and Analysis
Exemptions to data processing by the State on grounds such as national security may lead to data collection, processing, and retention beyond what is necessary. This may violate the fundamental right to privacy.
The Bill does not regulate risks of harms arising from processing of personal data.
The Bill does not grant the right to data portability and the right to be forgotten to the data principal.
The Bill allows transfer of personal data outside India, except to countries notified by the central government. This mechanism may not ensure adequate evaluation of data protection standards in the countries where transfer of personal data is allowed.
The members of the Data Protection Board of India will be appointed for two years and will be eligible for re-appointment. The short term with scope for re-appointment may affect the independent functioning of the Board.