The Lok Sabha has passed the Digital Personal Data Protection Bill, 2023. This legislation sets out the responsibilities of entities handling and processing digital data while upholding the rights of individuals in India. The bill introduces substantial penalties, ranging from a minimum of Rs 50 crore to a maximum of Rs 250 crore, for those found violating its provisions.
Digital Personal Data Protection Bill 2023?
The primary objective of the Digital Personal Data Protection Bill, 2023 is to establish a comprehensive framework for the protection of personal data. This framework extends its jurisdiction to personal data collected within India, both online and offline data that has been subsequently digitized. Moreover, if data processing occurs outside India but involves offering goods or services to individuals within the country, the bill’s regulations will apply.
Union Communications, Electronics and Information Technology Minister Ashwini Vaishnaw presented the bill in the Lok Sabha on August 3. Despite calls from the opposition to refer the bill to the standing committee for further examination, Vaishnaw defended its nature as a “normal bill” and moved it for discussion.
Key highlights of the Digital Personal Data Protection Bill, 2023 include:
- Data Security: Entities dealing with user data are required to ensure the protection of personal data, even if it is stored with third-party data processors.
- Data Breach Notification: In the event of a data breach, companies are mandated to promptly inform the Data Protection Board (DPB) and affected users.
- Special Provisions for Children and Physically Disabled Persons: Processing data of minors and individuals with guardians must be done only with the consent of guardians.
- Appointment of Data Protection Officer (DPO): Firms are required to appoint a Data Protection Officer and share their contact details with users.
- Government Authority over Data Transfer: The bill empowers the central government to regulate the transfer of personal data to foreign countries or territories beyond India.
- Appeals Mechanism: Appeals against DPB decisions will be adjudicated by the Telecom Disputes Settlement and Appellate Tribunal.
- DPB’s Authority: The DPB has the authority to summon and examine individuals under oath, inspect documents of companies handling personal data, and recommend blocking access to intermediaries that repeatedly breach the bill’s provisions.
- Penalties: The DPB will assess penalties based on the nature and severity of the breach, with potential fines of up to Rs 250 crore for instances of data breaches, failure to protect personal data, or failure to inform the DPB and users of a breach.
Personal data is information that relates to an identified or identifiable individual. Businesses as well as government entities process personal data for delivery of goods and services. Processing of personal data allows understanding preferences of individuals, which may be useful for customisation, targeted advertising, and developing recommendations. Processing of personal data may also aid law enforcement. Unchecked processing may have adverse implications for the privacy of individuals, which has been recognised as a fundamental right. It may subject individuals to harm such as financial loss, loss of reputation, and profiling.