Rajya Sabha Passes Digital Personal Data Protection Bill

Two days after Lok Sabha passed the Digital Personal Data Protection (DPDP) Bill, 2023, it was also passed by the Rajya Sabha on Wednesday (August 9) with a voice vote.

The DPDP bill would become a law after President Draupadi Murmu grants her assent to it.

“Under this bill, individuals using digital services have been given more power and more obligations have been imposed on companies using data of individuals. There has been a lot of consultation on the bill and then it has been presented before the House,” Union Minister for Electronics and IT Ashwini Vaishnaw reportedly said addressing the House.

“Further, four rights have been given to the country’s citizens – right to access information, right to correction of personal data and right to erasure, right to grievance redressal, right to nominate in case of death,” he added.

A Personal Data Protection (PDP) Bill was introduced in December 2019, which was then referred to a joint parliamentary committee (JPC) for examination after it faced severe criticism from various opposition party leaders

The report of the committee was presented to the Lok Sabha in December last year when a draft Data Protection Bill, 2021 was also submitted. However, the Indian government withdrew that in August last year after 81 amendments were proposed by the JPC.

A new draft version of the bill was first released by the Ministry of Electronics and Information Technology (MeitY) in November last year. The Union Cabinet approved the new DPDP Bill, 2023 in July. 

The DPDP Bill, 2023 has narrowed the scope of the earlier PDP bill by considering only personal and digital data in India and concerning only Indians. 

The new bill aims to replace existing data protection laws, which is largely enforced via Section 43A of the IT Act, 2000. 

Key Highlights of The DPDP Bill

The bill has clearly defined terms such as ‘personal data’ and ‘processing’. It defines personal data as any data that can help identify an individual ‘by or in relation’ to such data.  

It also proposes the concept of ‘data fiduciary’, which refers to any person who alone or in conjunction with other persons determines the purpose and means of processing personal data.

The DPDP Bill entrusts these data fiduciaries with issuing a notice to users before seeking consent, which can only be sought for lawful purposes and is mandatory for data processing. 

However, users have been given the right to withdraw their consent at any point of time.

Also, the bill empowers the union government to exempt its agencies and arms from the various provisions of the bill in some instances involving public order and security of the State. 

The bill identifies a ‘consent manager’ as a person who would act as a single point of contact for users to offer, withdraw and manage their consent via an ‘accessible, transparent and interoperable’ platform. 

Speaking in the Rajya Sabha today, Vaishnaw said, “We wanted the entire bill to be drafted in a way which is technology agnostic, which should be able to stand the progress of technology without requiring amendment again and again as and when new technology comes. That’s why some of these provisions have been kept and many things will evolve as the data protection board gives its rulings and people understand what needs to be further done.”

“So, that flexibility is there. We have kept this bill primarily on principles, we have not kept it prescriptive,” he added.

Besides the opposition, the bill has also received criticism from industry stakeholders. There are concerns that this bill would lead to state-sponsored surveillance of citizens and that it violates citizens’ right to privacy.

In case of non-compliance with the provisions of the bill, a penalty of up to INR 500 Cr can be levied.

Note: We at Inc42 take our ethics very seriously. More information about it can be found here.