English
search
Get Updates
Get notified on education trends, resources, and growth opportunities!

The Digital Personal Data Protection Bill, 2023

By
Add as a preferred source on Google

The Digital Personal Data Protection Bill, 2023

Information that can be used to identify or contact a specific individual is known as Personal Data. Personal Data is processed by both businesses and governmental organizations in order to supply goods and services. Processing personal data enables comprehension of user preferences, which may be helpful for customization, targeted advertising, and suggestion development.

Law enforcement may benefit from the processing of personal data. Unchecked processing may have detrimental effects on people's privacy, which has been acknowledged as a fundamental right. Individuals may suffer harm from it including financial loss, reputational damage, and profiling.

India currently lacks a stand-alone data protection law. In accordance with the Information Technology (IT) Act of 2000, the use of personal data is governed. A Committee of Experts on Data Protection, headed by Justice B. N. Srikrishna, was established by the national government in 2017 to look into matters pertaining to data protection in the nation. In July 2018, the Committee turned in its report. The Personal Data Protection Bill, 2019 was presented in Lok Sabha in December 2019 based on the Committee's recommendations. A Joint Parliamentary Committee was granted the bill, and it delivered its report in December 2021. The Bill was withdrawn from Parliament in August 2022. A Draught Bill was made available for public comment in November 2022. The Digital Personal Data Protection Bill, 2023 was tabled in Parliament in August of that year.

The Digital Personal Data Protection Bill, 2023

Key Issues and Analysis of the Digital Personal Data Protection Bill, 2023:

  • Data collection, processing, and retention may go beyond what is necessary if the State is given exemptions from processing it for reasons like national security. The fundamental right to privacy may be compromised by this.
  • The risks of harm resulting from the processing of personal data are not regulated by the Bill.
  • The right to data portability and the right to be forgotten is not granted to the data principal by the Bill.
  • The Bill facilitates the transfer of personal data outside of India, but only to nations that have been authorized. This mechanism might not provide a sufficient assessment of the level of data protection in the nations where the transfer of personal data is permitted.
  • The members of the Indian Data Protection Board will hold their positions for two years, with the possibility of reappointment. The Board's independence may be hampered by the short term and potential for reappointment.

Key Features of the Digital Personal Data Protection Bill, 2023:

Applicability:
If digital personal data is processed in India and is either (i) gathered online or (ii) collected offline and converted to digital form, the Bill is effective. If processing is done to provide goods or services in India, it also applies to processing done outside of India. Any information on a person who may be identified from or in connection with that information is referred to as personal data. The term "processing" refers to any fully or partially automated action taken on digitally stored personal data. It comprises gathering, keeping, using, and sharing.

Consent:
Only with the individual's consent and for a legal purpose may personal data be used. Before requesting consent, a notification must be given. Information about the personal data to be gathered and the processing goal should be included in the notification. The ability to revoke consent is always available. For "legitimate uses," which include (i) the specific purpose for which data has been willingly submitted by an individual, (ii) the government's supply of a benefit or service, (iii) a medical emergency, and (iv) employment, consent won't be necessary. The parent or the legal guardian must give consent on behalf of minors under the age of 18.

Rights and Duties of Data Principal:
A person whose data is being processed (referred to as the "data principal") is entitled to the following rights: (i) information about the processing; (ii) deletion of personal data; (iii) designating a substitute for themselves to exercise rights in the case of death or incapacity; and (iv) grievance redressal. Certain obligations will fall on data principals. They may not: (i) file a fictitious or baseless complaint; (ii) provide any false information; or (iii) impersonate another individual in certain circumstances. Duty violations are penalized by fines of up to Rs 10,000.

Obligations of Data Fiduciaries:
The entity that is responsible for deciding the purpose and method of processing, or "data fiduciary," is required to: (i) take reasonable steps to ensure the accuracy and completeness of the data; (ii) put in place reasonable security measures to prevent a data breach; (iii) notify the Data Protection Board of India and any affected individuals in the event of a breach; and (iv) erase personal data as soon as the purpose has been satisfied and retention is no longer required for legal purposes (storage limitation). Government organizations are exempt from storage restrictions and the data principal's right to erasure.

Transfer of Personal Data Outside India:
With the exception of nations that have been limited by notification from the central government, the Bill permits the transfer of personal data outside of India.

Exemptions:
In certain circumstances, the rights of the data principal and the duties of the data fiduciaries (apart from data security) do not apply. These consist of (i) crime prevention and investigation, and (ii) the upholding of legal rights or claims. Certain activities may be exempted by the central government from the Bill's application through notification. These consist of (i) processing by government agencies for the sake of state security and public order, and (ii) gathering information for research, archiving, or statistical purposes.

Data Protection Board of India:
The Data Protection Board of India will be established by the Central Government. The Board's main duties include (i) enforcing penalties for noncompliance, (ii) requiring data fiduciaries to take appropriate action in the event of a data breach, and (iii) listening to grievances brought forth by impacted parties. Members of the board will be appointed for two years with the possibility of reappointment. The number of Board members and the procedure for choosing them shall be specified by the national government. The TDSAT will hear appeals against the Board's judgments.

Penalties:
Penalties for numerous infractions are outlined in the schedule to the Bill, including up to (i) Rs 200 crore for failing to fulfill commitments to children and (ii) Rs 250 crore for failing to take security precautions to avoid data breaches. The Board will issue penalties following an investigation.

More News  

For Quick Alerts
ALLOW NOTIFICATIONS  
For Daily Alerts

Just In

Don't Miss

Read more about: india news law
--Or--
Select a Field of Study
Select a Course
Select UPSC Exam
Select IBPS Exam
Select Entrance Exam
Click to comments
Notifications
Settings
Clear Notifications
Notifications
Use the toggle to switch on notifications
  • Block for 8 hours
  • Block for 12 hours
  • Block for 24 hours
  • Don't block
Gender
Select your Gender
  • Male
  • Female
  • Others
Age
Select your Age Range
  • Under 18
  • 18 to 25
  • 26 to 35
  • 36 to 45
  • 45 to 55
  • 55+
Sign Out