Demystifying India’s Digital Personal Data Protection Bill, 2023: A Comprehensive Guide

Abstract

Article 21 of the Indian Constitution guarantees its citizens the Right to life, liberty, security as well as the right to privacy as their fundamental right. To protect people’s data and privacy rights in the contemporary digital environment, the Digital Personal Data Protection Bill, 2023 is a game changing piece of legislation. The law aims to create a strong framework for the gathering, handling, and storing of personal data with a focus on accountability, transparency, and user’s rights. The establishment of user’s right to access and control personal data and the imposition of severe penalties for data breaches and non-compliance with the rules laid down in the bill. To usher in a new era of responsible and ethical data management, this measure seeks to find a balance between technology, advancement, commercial practices and individual fundamental rights. The provisions of this bill establishes a framework for a safe and private internet as technology advances.

Introduction to the Bill

The right to Privacy is a fundamental right as unanimously recognized and guaranteed by the Constitution of India, 1950[1].

The Digital Personal Data Protection Bill, 2023 (DPDP Bill) is a necessary step in the right direction as India desperately needs domestic data protection legislation for its rapidly increasing internet population, which is now estimated to be 759 million. This bill was introduced in Lok Sabha on August 3, 2023. This bill is the Indian Government’s second attempt to draft legislation related to data protection and privacy of personal data upon the provisions of the Information Technology Act, 2000 particularly section 43A and Information Technology Rules of 2011.

This bill aims at protecting the individual’s right (who are termed as “Data Principal”) to protect their personal data and recognises the processing of such data for lawful purposes.

Applicability of the Bill

The provisions of this bill are applicable to all the online collected data as well as the offline data, if digitised [2]. Online data shall mean data gathered digitally, whilst offline data is defined as data in a non-digital form.

It exceeds its applicability even to cross-border personal data collected within the territory of India where it is carried out in conjunction with an activity involving the provision of goods or services to Data Principals in India [3].

The following are exempt from the applicability of the bill, 2023[4]

• personal data processed by an individual for any domestic or personal use
• personal data made or caused to be made publicly available by-

A person who is required to make such data publicly available by any law in effect in India is either;

• the Data Principal to whom such personal data belongs or
• any other person

The DPDP Bill does not classify data based on sensitivity or, as a result, subject particular categories of data to special protections. Instead, the DPDP Bill safeguards “any data about an individual who is identifiable by or in relation to such data,” as specified by the definition[5]. It most likely excludes information that is not personal but might be linked with other information to produce information “about an individual who is identifiable by or in relation to such data”.

Before the enactment of digital personal data protection bills, the IT Rules, 2011 and IT Act, 2000 provided protection and regulation only for sensitive personal data which was laid down in section 3 of the IT Rules, 2011, but DPDP Bill 2023 protects all the data of the individual which is deemed to be personal data. DPDP Bill 2023 provides for more comprehensive and robust compliance with data gathering and data processing.

Data Privacy Principles under the Bill

• Consent: As per the Bill of 2023, personal data about an individual may only be handled for legitimate purposes for which the individual has consented or deemed to have been consented. It states that permission must be unrestricted, explicit, informed and unambiguous.[6]

 Bill also provides the Data Principal a right to withdraw the consent[7] given to process her personal data through a consent Manager. The same needs to be informed to the Data Fiduciary as well.[8]

• Notice of obtaining the consent: The Data Fiduciary has to before obtaining the consent of the Data Principal, needs to send a notice requesting to obtain such consent. The notice shall further contain the purpose for the data being processed and the way the data principal can exercise her rights relating to withdrawal of her consent and the procedure of grievance redressal mechanism.

• Legitimate uses: This proviso enables the Data fiduciary to process the data of the data principal without her consent. The bill of 2023 has replaced the term “deemed consent” as was present in the Bill of 2022 with “certain legitimate uses” which allows the Data Fiduciary to process personal data without the Data principal’s express consent, where the data principal has already provided voluntarily consent for specific purposes to the data fiduciary. Although the deemed consent provision is used, it only applies to certain circumstances where the express consent of the data principal is not required.[9]

• User’s Rights: Data Principal shall have the following rights:

1. Right to access information about personal data: The Data Principal has a right to obtain consent from a Data Fiduciary for processing personal data, including a summary of the data, that is being processed, identities of other Data Fiduciaries and Processors with whom her data will shared, and any other information related to the data and its processing. This right is subject to compliance with applicable laws.[10]
2. Right to make corrections in regard to her personal data: A Data Principal has the right to correct, complete, update, and erasure their personal data, provided they have given consent. A Data Fiduciary must correct, complete, and update inaccurate or misleading data upon request. If a Data Principal requests erasure, the Data Fiduciary will erase the data unless retention is necessary for specific purposes or compliance with law.[11]
3. Right to Grievance Redressal Mechanism: A Data Principal has the right to receive grievance redressal from a Data Fiduciary or Consent Manager regarding their obligations with their personal data. The Data Fiduciary must respond within prescribed timeframes and the Data Principal must exhaust all grievance opportunities before approaching the Board.[12]
4. Right to Nominate: The Data Principal shall have the right to nominate any individual to act or exercise the rights of of data principal, in the event of death or incapacity of the Data Principal due to unsoundness of mind or infirmity of body.[13]

• Obligations of Data Fiduciary: A Data Fiduciary is responsible for complying with the Act and its rules regarding processing by it or a Data Processor. They can engage a Data Processor for goods or services to Data Principals under a valid contract. Data Fiduciaries must ensure completeness, accuracy, and consistency of personal data processed for decision-making or disclosure. They must implement technical and organizational measures to ensure effective observance. Data Fiduciaries must protect personal data by taking reasonable security measures and provide notification to the Board and affected Data Principals in case of a breach.[14]

The Data Fiduciary shall protect the personal data under its control by taking reasonable security safeguards.[15]

Data Fiduciary is bound by a duty to send a notice to the Board regarding any breach of personal data.[16]

• Cross-border transfer of personal data: The DPDP Bill uses a blacklisting strategy, permitting the transfer of personal data to any nation or territory unless prohibited by the Central Government. It is made clear, nonetheless, that any laws or regulations that impose further safeguards or limitations on the transfer of data outside of India will also be applicable.[17] By imposing regulations on cross-border transfer of personal data, bill aims to enhance protection of individuals personal data regardless of where it is being processed.

• Data Protection Board: The Central Government by notification, can create a board which shall be referred as the Data Protection Board. The primary function of the said board is to monitor and regulate the data processing regulation outlined in the bill. The board oversees the handling of data breaches, ensuring the affected individuals are notified promptly. Once the board receives complaints by data principal on any breach, it shall start its inquiring process and if finds there exists a violation, it shall impose penalty as mentioned in the bill.[18] The Board shall follow the principles of natural justice while inquiring and imposing any penalty.[19]

The board provides a mechanism for individuals to seek redress in case of any privacy violations or data breaches and offers a path for resolving disputes.

• Alternate Dispute Resolution Mechanisms: If the board receiving complaint is of the opinion that any complaint shall be referred to the mediation process, it shall direct the complainant to come to a mutual decision to solve their grievances through mediation.[20]

• Penalties for any Personal Data Breach: The Penalties in regard to any breach of personal data of the Data Principal are mentioned in the schedule of the bill.

The maximum penalty that can be imposed by the Board is up to Rs.250 crores for the breach of obligation of Data Fiduciary to protect the personal data under sub-section (5) of section (8) of the Bill,2023.[21]

The Penalty of Rs. 200 crores shall be imposed if the Data Fiduciary fails to intimate the Board regarding any data protection breach. [22]

Loopholes in the Bill

The bill lacks clarity in certain areas, causing confusion and inconsistent implementation. Enforcement challenges depends on the Data Protection Board’s resources and its limited scope may not adequately address other forms of data and emerging technologies. Further clarity on international data transfers, data localization and data retention periods is needed to ensure data protection.

Conclusion

Digital Personal Data Protection Bill, 2023 is an effective mechanism enacted by the government of India. The Digital Personal Data Protection Bill, 2023 extends substantial rights to individuals and provides them with better visibility, awareness, decisional autonomy, and control over their data. It also obligates companies to comply with the rights of individuals and provide effective redressal mechanisms linked with significant penalties.

---

This article is authored by T. Tahira Mehreen, 5 th year BBA.,LL.B student at Bishop Cotton Women’s Christian Law College, Bangalore

---

[1] Justice K.S Puttaswamy & Another vs. Union of India and Others [Writ Petition (civil) No. 494 of 2012]

[2] Section 3(a), Bill, 2023

[3] Section 3(b), Bill, 2023

[4] Section 3(c), Bill 2023

[5] Section 2(t), Bill 2023

[6] Section 6(1), Bill 2023

[7] Section 6(4), Bill 2023

[8] Section 697), Bill 2023

[9] Section 7(a), Bill 2023

[10] Section 11(1), Bill 2023

[11] Section 12, Bill 2023

[12] Section 13, Bill 2023

[13] Section 14, Bill 2023

[14] Section 8, Bill 2023

[15] Section 8(5), Bill 2023

[16] Section 8(60, Bill 2023

[17] Section 16(1), Bill 2023

[18] Section 27(1)(c), Bill 2023

[19] Section 28(6), Bill 2023

[20] Section 31, Bill 2023

[21] Schedule of the Bill, 2023

[22] Ibid