The Personal Data Protection Bill introduces the concept of user consent and envisages the creation of Data Protection Board
The bill aims to build a regulatory framework on how private or government entities can use or process citizens' data within the country, as well as outside India to some extent
The DPDP Bill, 2023 will now head to the Rajya Sabha where the ruling coalition is short of majority
Amid protests from some opposition members, the Lok Sabha on Monday (August 7) passed the Digital Personal Data Protection (DPDP) Bill, 2023, setting the stage for a full-fledged law to oversee digital processing of data of Indians.
This comes a few days after Union Minister for Electronics and Information Technology Ashwini Vaishnaw tabled the bill in the Parliament on August 3.
The Fine Print
The bill aims to replace existing data protection laws, largely enforced via Section 43A of the Information Technology Act, 2000.
One of the key aspects of the bill is that it defines terms such as ‘personal data’ and ‘processing’. The bill defines personal data as any data that can help identify an individual ‘by or in relation’ to such data.
On the other hand, processing has been defined as wholly or partially automated operation (collected offline but digitised), and also includes operations performed on data including collection, storage, use, and sharing.
Apart from local processing of data, the bill also covers aspects of extraterritorial user data processing if goods or services are to be sold in India. Unlike the previous 2022 version of the bill, the new iteration empowers the Centre to restrict transfer of personal data by an entity to any foreign country via a notification.
The bill terms an individual whose data is being collected as data principal, and defines various criterias for who would offer consent in exceptional cases. For instance, a parent would be the data principal in case of a minor, while it would be the lawful guardian in case of a person with disability. This specific aspect was missing in the previous bill.
Unlike the previous iterations of the bill in 2018 and 2019, which created tiered categories (critical and sensitive) of personal data, the new bill removes such distinctions and steers clear of regulating non-personal data.
Users In Focus
The bill also has the concept of user consent, meaning that data can only be processed on prior permission of the user and only for lawful and specified legitimate purposes.
The bill also entrusts data fiduciaries with issuing a notice to users before seeking consent, which can only be sought for lawful purposes and is mandatory for data processing. Users can withdraw their consent at any point of time.
Besides, consent shall not be required for ‘legitimate uses’:
- specified purpose for which data has been provided by an individual voluntarily
- provision of benefit or service by the government
- medical emergency
The DPDP Bill, 2023 also introduces the construct of ‘consent managers’, who will serve as a single point of contact for users to offer, withdraw and manage their consent via an ‘accessible, transparent and interoperable’ platform.
The bill also mandates that these consent managers be registered with the Data Protection Board and will be ‘accountable’ to the users, or data principals. The bill empowers consent managers to file complaints on behalf of users. These managers would also be liable for inquiry for flouting registration mandates.
The bill also draws up a list of rights and duties for users whose data is processed. A user will have the right to ‘obtain’ information about data processing, can seek correction and erasure of personal data, grievance redressal and nominate another person to exercise rights in exceptional circumstances.
The duties of data principal include not filing ‘frivolous’ complaints and not impersonating and furnishing false particulars. A penalty of up to INR 10,000 will be imposed on users flouting their duties.
More Compliance For Data Fiduciaries
As per the bill, data fiduciaries are entities that determine the ‘purpose and means of processing’ data. Data fiduciaries have been entrusted with certain obligations to ensure accuracy and completeness of data and to build reasonable security safeguards to prevent data breaches.
Data fiduciaries have also been mandated to ensure protection of personal data even if it is stored with a third-party data processor.
Under the proposed law, these entities have also been directed to inform the proposed Data Protection Board of India in the event of a data breach. Besides, fiduciaries have also been mandated to delete personal data post the completion of the desired purposes and when retention of data is not necessary for legal purposes (storage limitation). The norms related to storage limitation and the right of the data principal to erasure shall not apply to government entities.
However, the bill empowers the union government to exempt its agencies and arms from the various provisions of the bill in certain instances involving public order and security of the state.
Data Protection Board
The Data Protection Board of India which will be tasked with monitoring compliance and imposing penalties. It can also advise the government on blocking access to an intermediary if provisions related to the bill are violated more than twice.
In addition, the board will also be the adjudicating body for grievances filed by the users. Telecommunications Dispute Settlement and Appellate Tribunal (TDSAT) will be the appellate body for decisions of the proposed board. As per the bill, the members of board will be appointed for a period of two years and will be eligible for re-appointment. The centre, at a later date, will be responsible for the creation and deciding the composition of the board.
One of the biggest takeaways from the bill is hefty penalties that data fiduciaries could be liable for in the event of violations. For non-fulfilment of obligations related to children, violators could attract penalties up to INR 200 Cr, while failure to take security measures to prevent data breaches could invite a penalty of up to INR 250 Cr. As per the bill, penalties would be imposed by the Data Protection Board after conducting an inquiry.
Meanwhile, a full-blown row erupted in the Parliament as Vaishnaw moved the bill in the Lok Sabha. Lashing out at the bill, opposition members called for referring the bill to a parliamentary panel for further deliberations.
Opposition MPs had opposed the bill earlier as well, alleging it violates the ‘Right to Privacy’. They also called for lowering the age of consent for children to 15 against 18 envisaged in the bill.
Meanwhile, the Editors Guild of India also flagged concerns about certain provisions of the DPDP Bill, 2023. It said the proposed law could have an ‘adverse impact on press freedom’, adding that it enables a framework for the ‘surveillance of citizens, including journalists and their sources’.
The bill is now slated to face its biggest hurdle in Rajya Sabha, where the ruling coalition does not have a majority.