Demystifying the Digital Personal Data Protection Bill 2023: A Comprehensive Guide to Data Protection in India

Introduction

"A Bill to provide for the processing of digital personal data in a manner that recognises both the right of individuals to protect their personal data and the need to process such personal data for lawful purposes and for matters connected therewith or incidental thereto," the Bill's text says.

Such a law mired in secrecy and controversy!

We are all gradually finding ourselves in a lot more digital environment than ever before as a result of the fascinating times we are living in. The need to protect our personal data is more important than ever in the digital age since technology has become so ingrained in our daily lives. You might be asking what this bill is for and why it matters.

In this article, we shall learn about the significant development of the much-awaited Digital Personal Data Protection Bill 2023 that has been passed in the Lok Sabha on 7th Aug 2023, in the Rajya Sabha on 9th Aug 2023 and will be enacted into law very soon, why the journey is so far and the evolution of the bill has been extremely interesting and why the bill will transform the lives in a lot of ways and also improve the rights of individuals who are today the DIGITAL NAGARIK in a way on the Indian internet.

History

• The Ministry of Electronics and Information Technology (MeiTY) established an expert committee in 2017, which marked the beginning of the process towards a data protection law.
• The significant change occurred in December 2021 with the publication of the draught Data Protection Bill, 2021 (DPB, 2021).
• Ashwini Vaishnaw, the federal minister for electronics and information technology, proposed the bill on August 3rd, 2022.
• The Digital Personal Data Protection Bill, 2022 (DPDPB, 2022) was updated and made available for public comment on November 18, 2022.
• The comments submitted as part of this consultation process were kept confidential.
• A Right to Information application was also rejected over the need for the submissions to be made publicly available.
• The 2023 Bill, which clarifies how and on what basis these amendments were adopted, was introduced in Parliament one year ago.

Key Highlights

• DPDP 2023 applies to the processing of digital personal data, including online and digitalized offline data, in India. It includes procedures done outside of India to market products or services from India. The main goal of this measure is to create a thorough framework for the protection of personal data, to put it simply.
• With exceptions for the government and law enforcement organisations, the measure lays out regulations for businesses that gather data online. The Right to Information Act, 2005 is also amended by the measure, which is presently making its way to the Upper House, by eliminating the public interest exceptions for sharing personal information.
• Except in cases when voluntary sharing or processing is required by the government, personal data processing requires consent.
• Data fiduciaries will bear the responsibility of maintaining data accuracy, ensuring data security and deleting data once its intended purpose has been fulfilled.
• The measure grants people specific rights, including the ability to view information, ask for the removal or rectification of their data, and file complaints.
• The central government may, under certain conditions, exempt government agencies from complying with the bill's requirements. These situations frequently centre on particular justifications such as preserving the state's security, upholding the principles of law, and stopping crimes.
• The central government will establish the Data Protection Board of Idia, which will be responsible for hearing cases of non-compliance, to monitor adherence to the Bill's requirements.
• Due to exemptions, the state has provided for the processing of data, particularly based on national security, concerns have been raised over the potential infringement of the fundamental right to privacy. These exemptions may lead to the acquisition, processing, and keeping of data that goes beyond what is deemed required.
• It has also been pointed out that the bill does not regulate risks of harm arising from the processing of personal data.
• Furthermore, the bill permits the transfer of personal data outside of India, except to countries that have been notified by the central government.
• However, this mechanism might not guarantee a thorough evaluation of the data protection standards in the countries where the transfer of personal data is allowed.
• The Data Protection Board of India's members will be appointed for a term of two years, with the possibility of reappointment, which could affect the board's ability to work independently.
• Notably, the bill is the first law in India to use she/her pronouns while referring to all genders.
• The Bill's "Interpretation" provision clarifies that the pronouns "her" and ‘she" in the proposed legislation have been used for an individual, irrespective of gender.

What is Personal Data?

Any information on a person who may be identified from or in connection with that information is referred to as personal data.

The DPDP defines personal data as any data that can be used to uniquely identify a person, including but not limited to:

• Identify
• Telephone
• Addresses for email
• Biometric information

Future regulations may classify further information as personally identifiable information.

What is Processing?

The term "processing" refers to any fully or partially automated actions carried out on digitally stored personal data. It comprises gathering, keeping, using, and sharing.

Key Features:

1. Applicability

The bill applies to the processing of digital personal data within India where such data is:

• Collected online
• Collected offline and is digitised

If processing is done to provide goods or services in India, it also applies to processing done outside of India.

2. Consent

Only with the individual's consent and for a legal purpose may personal data be used.

Before requesting consent, a notification must be given.

Information about the personal data to be gathered and the processing goal should be included in the notification.

The ability to revoke consent is always available.

The following examples of "legitimate uses" that do not require consent:

• The specified purpose for which data has been provided by an individual voluntarily
• Provision of benefit or service by the government
• Medical emergency
• Employment

For individuals (below 18 years of age), consent will be provided by the parent or the legal guardian.

3. Rights and duties of data principal (individual)

An individual whose data is being processed (data principal), will have the right to:

• Obtain information about the processing
• Seek correction and erasure of personal data
• Nominate another person to exercise rights in the event of death or incapacity
• Grievance Redressal

4. Obligations of data fiduciaries

The entity determining the purpose and means of processing (Data Fiduciary) must:

• Make reasonable efforts to ensure the accuracy and completeness of data, build reasonable security safeguards to prevent a data breach
• Inform the Data Protection Board of India and affected persons event of a breach
• Erase personal data as soon as the purpose has been met and retention is not necessary for legal purposes (storage limitation)

In the case of government entities, storage limitation and the right of the data principal to erasure will not apply.

5. Transfer of personal data outside India

The bill allows the transfer of personal data outside India, except to countries restricted by the central government through notification.

The central government will establish the Data Protection Board of India to adjudicate or non-compliance with the provisions of the bill.

6. Blocking power

According to the 2023 Bill, the Board may request that the central government or any authorised authority order the blocking of public access to the data fiduciary's platform. Blocking can only be ordered when it is necessary or advantageous for the general public, and the fiduciary should be given a chance to be heard before one is issued. Any intermediary may be asked by the government to help carry out the blocking order. This is a brand-new clause.

7. The DPB has the authority to

• Inspect documents of companies handling personal data
• Summon and examine individuals under oath
• Recommend blocking access to intermediaries that repeatedly breach the bill's provisions

Penalties

Penalties will be imposed by the Board after conducting an inquiry.

1. Rs. 200 crores for non-fulfilment of obligations for children
2. Rs. 250 crores for failure to take security measures to prevent data breaches
3. Rs. 150 crores for breach in observance of additional obligations of Significant Data Fiduciary
4. Rs. 10,000 for breach in observance of the duties
5. Rs. 50 crores for breach of any other provision of DPDP or the rules made thereunder
6. Extent applicable for breach of any term of voluntary undertaking accepted by the Board

Exemption

Bill exempts government authorities. IT Minister Ashwini Vaishnaw said that exemptions to the Centre were needed.

"If there is a natural disaster like an earthquake, will the government have time to seek consent for processing their data or have to act quickly to ensure their safety?"

According to the bill, the central government will have the right to exempt "any instrumentality of the state" from adverse consequences citing

• National security
• Relations with foreign governments
• Maintenance of public order, among other things

Accomplished Objects to formulate the DPDP 2023

Utilise a risk-based approach:

To determine and reduce the risks to personal data, organisations should adopt a risk-based strategy. This will make it easier to ensure that the technical controls put in place are suitable for the particular risks the organisation confronts.

• Perform a privacy impact assessment (PIA) first. This will assist you in identifying the hazards connected to your data processing activities and in creating countermeasures.
• Publish privacy rules that are transparent and that clearly describe your data collection, use, and sharing practices.
• If your firm handles a sizable amount of personal data, you should appoint a data protection officer (DPO) to manage your organisation's compliance activities.
• Give people the means to view, edit, and delete their personal information. Respond to data subject requests in a timely and efficient manner.

Organisational and technical measures

The DPDP mandates that businesses put in place the proper organisational and technical safeguards to secure customer data. Preventing unauthorised access to personal data should be one of these measures' main objectives.

• Avoid the unauthorised destruction or alteration of personal data.
• Assure the privacy, accuracy, and accessibility of personal data.
• Make it possible for personal data to be promptly restored in the case of a data breach.

Monitoring and Reporting

Simply implementing technical security measures is not sufficient. Data protection and cyber security do not have a silver bullet. To achieve optimal effectiveness, the products, platforms, or solutions must be monitored, as well as the reports they produce. To that end, identify and reduce the risks to personal data by using a risk-based approach.

• Stay current on the newest security techniques and technologies.
• Test and evaluate the efficiency of your technological measures regularly.
• Keep track of all the procedures involved in installing and maintaining your technical measures.

You can improve your company's technical data protection safeguards and work to comply with the DPDP Act by using the advice in this article.

Need for this Bill

Recently, in July 2023, it was claimed that 12,000 SBI employees' private records were made public on Telegram.

This makes the exemption under Clause 17(2)(a), which, if notified, is granted to the government and its authorities, a significant cause for concern in the Bill.

Concerns

• Data collection, processing, and retention may go beyond what is necessary when the State is granted exemptions from processing personal information for reasons like national security.
• The Bill does not offer the data principal the right to be forgotten, which may be a violation of the fundamental right to privacy.

Conclusion

The Digital Personal Data Protection Bill 2023 opens the path for a safer and more secure digital ecosystem as we advance into a future powered by technology. With the passage of this bill, individuals will have more control over the personal information that businesses gather, handle, and use about them.

The bill assures that our privacy is protected online by putting in place strong safeguards to protect personal data. It gives people more influence over how their personal information is used, allowing them to provide their approval and hold businesses responsible for any misuse.

Let's support this legislation and collaborate to safeguard our online personas, ensuring a prosperous and secure digital future for everybody.