The Digital Personal Data Protection Bill 2023 was successfully passed by the Lok Sabha on Monday, despite facing opposition from some members of the opposition. The bill was presented by Ashwini Vaishnaw, the Union Minister for Electronics and Information Technology on August 3rd. The primary objective of the bill is to effectively manage digital personal data, striking a delicate balance between the rights of individuals to safeguard their data and the lawful processing of such data for relevant purposes.
This legislation encompasses digital personal data processing within India’s borders, including both online and digitized offline data. Its scope extends to data processing carried out beyond India’s borders, specifically for the provision of Indian goods or services. The bill outlines the necessity of obtaining consent for lawful data processing, with exceptions outlined for voluntary data sharing and state-related processing.
Union Minister of State for Entrepreneurship, Skill Development, Electronics & Technology, Rajeev Chandrashekhar tweeted that this Bill is a very significant milestone in Prime Minister Narendra Modi’s vision of Global Standard Cyber Laws for India’s $1trillion digital economy.
Applicability of the Digital Personal Data Protection Bill
- This applies to the processing of personal data collected in India, whether in digital or non-digital form that is subsequently digitized.
- The Bill applies to the processing of digital personal data outside India if related to offering goods or services within India.
- Exemptions: Personal data publicly made available by the user (e.g., social media posts) is not covered; Data processed by an individual for personal/domestic use is excluded; Data made available under legal obligation for public access is not covered.
Obligations of Data Fiduciaries under the DPDP Bill
A Data Fiduciary refers to “Any individual or group of individuals who, either independently or in collaboration with others, establishes the objective and methods for the processing of personal data.”
The Bill requires Data Fiduciaries to comply with the following:
- Process personal data with consent or for legitimate uses prescribed by the Bill.
- Provide notice and obtain consent when processing personal data.
- Legitimate use cases not requiring consent are: Voluntary provision of data by the user; State functions, services, licenses, etc.; Compliance with court orders; Medical emergencies, epidemics, disasters; Employment-related purposes.
- Protect personal data from breaches and notify affected parties.
- Erase personal data upon withdrawal of consent or when the purpose is no longer served.
- Ensure the accuracy of data that is used for taking decisions or sharing with others.
- Appoint Data Protection Officer/contact person for user inquiries.
- Establish grievance redressal mechanism for Data Principals.
- Appoint Data Processors under valid contracts.
- Implement technical and organizational measures for compliance with the Act.
The establishment of the Data Protection Board of India
The Data Protection Board of India will be established by the Central Government through an official notification. The Board will function as a legal entity with continuous existence and an official seal. It will possess the authority, within the framework of this Act, to acquire, possess, and divest both movable and immovable assets, as well as to engage in contracts and legal proceedings.
The Board will comprise a Chairperson and other designated Members, who will be appointed by the Central Government. The Chairperson will possess the authority to allocate responsibilities among individual Members or groups of Members who are authorized to oversee proceedings in accordance with the stipulations of this Act.
The Board is authorized to investigate and levy penalties in response to complaints, references from the government, or court directions related to breaches by Data Fiduciaries or Consent Managers in fulfilling their responsibilities or respecting users’ rights. The Board’s role extends to addressing personal data breaches, by compelling Data Fiduciaries to undertake urgent corrective measures, conducting inquiries, and imposing penalties. Furthermore, the Board holds the authority to issue directions, ensuring a fair hearing for concerned parties and substantiating its decisions in writing. It retains the power to modify, suspend, withdraw, or annul any previously issued directions as deemed necessary.
Penalties for non-compliance
The penalties for non-compliance, as outlined in the Bill’s Schedule, are as follows:
- Failure to implement adequate security measures to prevent personal data breaches: Maximum penalty of ₹250 crores.
- Neglecting to inform the Board and affected Data Principals about a personal data breach: Maximum penalty of ₹200 crores.
- Not meeting obligations related to processing children’s data: Maximum penalty of ₹200 crores.
- Defaulting on obligations as a Significant Data Fiduciary: Maximum penalty of ₹150 crores.
- Violation of user responsibilities: Penalty of up to ₹10,000.
- Breach of commitments made to the Board voluntarily: Penalty corresponding to the breach’s severity in the proceedings against the entity.
- Other violations of this Act: Maximum penalty of ₹50 crores.
The penalties imposed as per the provisions of this Act are directed to be deposited into the Consolidated Fund of India. Furthermore, the Central Government holds the power to amend the predefined penalty amounts outlined in the Schedule through the issuance of an official notification.
As the nation embraces the digital era, the implementation of the Digital Personal Data Protection Bill underscores India’s commitment to ensuring that personal data remains a cornerstone of trust and integrity in the digital age.
Featured image credits: Pixabay