New Delhi: The Rajya Sabha today passed the Digital Personal Data Protection Bill, 2023, by voice vote. Most of the opposition parties excluding the Biju Janata Dal and the YSR Congress Party staged a walkout after raising surveillance fears.
The Bill seeks “to provide for the processing of digital personal data in a manner that recognises both the right of individuals to protect their personal data and the need to process such personal data for lawful purposes.”
The Lok Sabha passed the Bill on August 7, 2023, and it would now be sent for President’s nod.
Moving the Bill, Information Technology and Communication Minister Ashwini Vaishnaw said that the legislation was “pro-citizen, pro-privacy and very much in the spirit of government where we would like to make sure that every citizen’s data is fully protected”.
Vaishnaw claimed that while the world’s stringest privacy law General Data Protection Regulation (GDPR) provides for 16 exemptions, the Digital Personal Data Protection Bill, 2023, has given only four exemptions.
Meanwhile, the Ministry of Electronics and Information Technology today highlighted the following are the salient features of the Digital Personal Data Protection Bill, 2023:
The Bill provides for the processing of digital personal data in a manner that recognizes both the rights of the individuals to protect their personal data and the need to process such personal data for lawful purposes and for matters connected therewith or incidental thereto.
The Bill protects digital personal data (that is, the data by which a person may be identified) by providing for the following:
- The obligations of Data Fiduciaries (that is, persons, companies and government entities who process data) for data processing (that is, collection, storage or any other operation on personal data);
- The rights and duties of Data Principals (that is, the person to whom the data relates); and
- Financial penalties for breach of rights, duties and obligations.
The Bill also seeks to achieve the following:
- Introduce data protection law with minimum disruption while ensuring necessary change in the way Data Fiduciaries process data;
- Enhance the Ease of Living and the Ease of Doing Business; and
- Enable India’s digital economy and its innovation ecosystem.
The Bill is based on the following seven principles:
- The principle of consent, lawful and transparent use of personal data;
- The principle of purpose limitation (use of personal data only for the purpose specified at the time of obtaining the consent of the Data Principal);
- The principle of data minimisation (collection of only as much personal data as is necessary to serve the specified purpose);
- The principle of data accuracy (ensuring data is correct and updated);
- The principle of storage limitation (storing data only till it is needed for the specified purpose);
- The principle of reasonable security safeguards; and
- The principle of accountability (through adjudication of data breaches and breaches of the provisions of the Bill and imposition of penalties for the breaches).
The Bill provides for the following rights to individuals:
- The right to access information about personal data processed;
- The right to correction and erasure of data;
- The right to grievance redressal; and
- The right to nominate a person to exercise rights in case of death or incapacity.
For enforcing his/her rights, an affected Data Principal may approach the Data Fiduciary in the first instance. In case he/she is not satisfied, he/she can complain against the Data Fiduciary to the Data Protection Board in a hassle-free manner.
The Bill provides for the following obligations of the data fiduciary:
- To have security safeguards to prevent personal data breaches;
- To intimate personal data breaches to the affected Data Principal and the Data Protection Board;
- To erase personal data when it is no longer needed for the specified purpose;
- To erase personal data upon withdrawal of consent;
- To have in place a grievance redressal system and an officer to respond to queries from Data Principals; and
- To fulfil certain additional obligations in respect of Data Fiduciaries notified as Significant Data Fiduciaries, such as appointing a data auditor and conducting periodic Data Protection Impact Assessments to ensure a higher degree of data protection.
The Ministry claimed that the Bill safeguards the personal data of children also. It allows a Data Fiduciary to process the personal data of children only with parental consent. It does not permit processing which is detrimental to well-being of children or involves their tracking, behavioural monitoring or targeted advertising.
The exemptions provided in the Bill are as follows:
- For notified agencies, in the interest of security, sovereignty, public order, etc.;
- For research, archiving or statistical purposes;
- For startups or other notified categories of Data Fiduciaries;
- To enforce legal rights and claims;
- To perform judicial or regulatory functions;
- To prevent, detect, investigate or prosecute offences;
- To process in India the personal data of non-residents under foreign contract;
- For approved mergers, demergers etc.; and
- To locate defaulters and their financial assets etc.
The key functions of the Board are as under:
- To give directions for remediating or mitigating data breaches;
- To inquire into data breaches and complaints and impose financial penalties;
- To refer complaints for Alternate Dispute Resolution and to accept Voluntary Undertakings from Data Fiduciaries; and
- To advise the Government to block the website, app etc. of a Data Fiduciary who is found to repeatedly breach the provisions of the Bill.
– global bihari bureau