Following extensive negotiations spanning almost five years that involved the government, technology companies, and representatives from civil society, the Digital Personal Data Protection Bill, 2023, was presented by the Centre in Parliament on Thursday, August 3.
This proposed legislation outlines the protocols and guidelines governing the collection and utilization of information and personal data pertaining to the citizens of India, both by corporations and the government.
Over the course of five years, the legislation has undergone multiple iterations and revisions. Initially, it started as a draft that embraced the fundamental principles of privacy safeguards observed in Europe, empowering individuals to have control over their online data usage. As the process unfolded, several amendments were introduced, incorporating certain suggestions to accommodate corporate interests and foster competition, in a manner that bears resemblance to elements observed in US legislation.
Digital Personal Data Protection Bill, 2023
The 2023 Bill exhibits notable differences compared to its predecessor, the 2022 Bill. These include the adoption of a negative-list approach for cross-border data transfers, the elimination of provisions concerning reasonable purposes and public interest justifications for data processing, exemptions for publicly available data and data that is subject to a legal obligation, exemptions for specific scenarios involving data fiduciaries and their obligations regarding parental consent and children’s data processing, and the granting of government authority to block access to a data fiduciary’s platform. These revisions, along with others, constitute significant modifications proposed by the bill. The Bill is designed to be concise, with its provisions taking a principle-based and high-level approach, while specific implementation details will be outlined in accompanying rules.
Key Provisions of the Bill:
Scope and Jurisdiction:
The Digital Personal Data Protection Bill encompasses the processing of digital personal data within India. It extends its jurisdiction to data processed abroad if it is done for offering goods, services, or profiling within India.
Lawful processing of personal data requires individual consent. Prior notice must be provided, outlining the purpose of data collection and processing. Consent can be withdrawn at any time. For individuals under the age of 18, consent is obtained from their legal guardians.
Rights and Responsibilities of Data Owners:
Data principals, who are individuals whose data is processed, have rights to access information about the processing of their data, rectify and erase data if required, and appoint a representative in case of incapacity or death.
International Data Transfer:
The central government will announce a list of permissible countries for data transfer by data fiduciaries. Transfers must adhere to predetermined terms and conditions.
Certain cases exempt data principals’ rights and data fiduciaries’ obligations (excluding data security). These cases include offense prevention, investigation, and enforcement of legal rights. The central government has the authority to grant exemptions, including for government processing related to state security and research purposes.
Data Protection Board of India:
The central government will establish the Data Protection Board of India, which will be responsible for overseeing compliance, imposing penalties, guiding data fiduciaries during data breach incidents, and addressing grievances raised by affected individuals.
The Bill’s schedule sets out penalties for various violations, including fines of up to Rs 200 crore for non-compliance related to children’s data and fines of up to Rs 250 crore for failing to implement security measures to prevent data breaches.
What impact will the implementation of the data bill have on regular users?
According to Archana Balasubramanian, a partner at Agama Law Associates, once the Digital Personal Data Protection Bill becomes law, it will establish a framework and an ombudsman system to address data breach issues. However, it’s important to note that the bill specifically focuses on the protection of digital data and does not cover physical data. This means that even the act of taking a picture of physical data would fall under the purview of the bill. On the other hand, if someone exclusively deals with physical data and never converts it into digital form, they would not be subject to the rules outlined in the bill, regardless of the amount of data they possess.
Additionally, Balasubramanian mentions that Indian businesses already comply with regulations from the United States and Europe. Therefore, she suggests that the impact of the Digital Personal Data Protection Bill on how these businesses operate might not be significant, as they are already accustomed to dealing with similar rules and requirements.