Parliament on 9th August passed the Digital Personal Data Protection Bill, 2023 with Rajya Sabha approving it. The Bill has already been passed in Lok Sabha.
Key provisions
- The Bill provides for the processing of digital personal data in a manner that recognizes both the rights of the individuals to protect their personal data and the need to process such personal data for lawful purposes and for matters connected therewith or incidental thereto.
- By using the word “she” instead of “he”, for the first time the bill acknowledges women in Parliamentary law-making.
The Bill protects digital personal data (that is, the data by which a person may be identified) by providing for the following:
- The obligations of Data Fiduciaries (that is, persons, companies and government entities who process data) for data processing (that is, collection, storage or any other operation on personal data);
- The rights and duties of Data Principals (that is, the person to whom the data relates);and Financial penalties for breach of rights, duties and obligations.
The Bill provides for following rights to the individuals:
- The right to access information about personal data processed;
- The right to correction and erasure of data;
- The right to grievance redressal; and
- The right to nominate a person to exercise rights in case of death or incapacity.
The Bill allows a Data Fiduciary to process the personal data of children only with parental consent.
- The Bill does not permit processing which is detrimental to well-being of children or involves their tracking, behavioural monitoring or targeted advertising.
The Bill has a provision to set up the Data Protection Board of India.
- The Board on receipt of an intimation of a personal data breach will inquire into the matter and impose a penalty.
- While determining the amount of monetary penalty to be imposed, the Board will consider the nature, gravity, and duration of the breach and the type, and nature of the personal data affected by the breach.
The exemptions provided in the Bill are as follows:
- For notified agencies, in the interest of security, sovereignty, public order, etc.;
- For research, archiving or statistical purposes; For startups or other notified categories of Data Fiduciaries;
- To enforce legal rights and claims; To perform judicial or regulatory functions; etc.
The Bill provides for following obligations on the data fiduciary:
- To have security safeguards to prevent personal data breach;
- To intimate personal data breaches to the affected Data Principal and the Data Protection Board;
- To erase personal data when it is no longer needed for the specified purpose;
- To erase personal data upon withdrawal of consent;
- To have in place grievance redressal system and an officer to respond to queries from Data Principals.
