Digital Banking

The Digital Personal Data Protection Bill, 2023

The Ministry of Electronic and Information Technology regulates the framework of data protection. Personal data refers to any information that can identify an individual, either directly or indirectly. Both business and government entities process personal data to deliver goods and services.  This processing enables an understanding of individual preferences, facilitating customization, targeted advertising, and the development of recommendations. Additionally, processing personal data can support law enforcement activities. However, unchecked processing can negatively impact individuals’ privacy, a fundamental right, potentially leading to financial loss and reputational damages.

Overview of the Digital Personal Data Protection Bill 2023

Now, India has separate data protection law, as such personal data is governed by the Information Technology Act of 2000. In 2017, the central government established a committee of Experts on Data Protection, led by Justice B.N. Srikrishna, to examine data protection issues in the country.

The Committee’s report was submitted in July 2018, so following the Committee’s recommendations, the Personal Data Protection Bill 2019 was introduced in the Lok Sabha in December 2019. This Bill was then referred to a Joint Parliamentary Committee, which submitted its report in December 2021. The Bill was withdrawn from Parliament in August 2022, and a draft bill was released for public consultation in November 2022. Finally, the Digital Protection Bill, 2023, was introduced in Parliament in August 2023.

A Step Forward for Digital Personal Data Protection Bill in India

The Digital Personal Data Protection (DPDP) Bill is comprehensive legislation aimed at protecting individuals’ personal data in India. It’s India’s first comprehensive personal data protection law after several years. It defines personal data as information that can identify an individual, such as their name, address, phone number, email address, and financial details.

The Bill establishes several rules for collecting, using, and sharing personal data. For instance, it requires data controllers to obtain individuals’ consent before collecting their personal data and prohibits the sale or transfer of personal data to third parties without the individual’s consent.

The DPDP Bill creates a Data Protection Authority (DPA) to ensure compliance with the law. The DPA will have the authority to investigate complaints, impose fines and take other enforcement actions against data controllers who violate the law.

The DPDP Bill represents a significant advancement in data protection in India. It aims to safeguard individuals’ privacy and give them greater control over their personal data. The bill highlights potential issues for consumers, businesses, and the state while also considering recent developments and future regulatory factors.

Highlights of the Digital Personal Data Protection Bill, 2023

The Digital Personal Data Protection Bill, 2023 regulates the process of digital personal data, including various other areas related to personal data such as:

  • The Bill regulates the processing of digital personal data within India, including data gathered online or offline. It also applies to data processing outside India if it involves offering goods or services in India.
  • Personal data can only be processed legally with the individual’s consent. However, consent is not required for certain legitimate uses such as individuals’ voluntary sharing of data for state processing permits, licenses, and other services.
  • Data fiduciaries must maintain data accuracy, ensure data security and delete data once its purpose is fulfilled.
  • The bill grants individuals the right to access information, request correction and seek grievance redressal.
  • The central government can exempt government agencies from the Bill’s provisions for state security, public order, and crime prevention.
  • The Central government states that the Data Protection Board of India handles the non-compliance issues related to the Bill’s provisions.
READ  Banking as a Service (BaaS): A Detailed Overview

Understand Basic Features of the Digital Personal Data Protection Bill 2023

Let’s understand the key features of the Digital Personal Data Protection Bill 2023 to protect digital personal data and breach of privacy of individuals in various ways such as:

1. Applicability

The Digital Personal Data Protection Bill governs the processing of digital personal data within India, including data collected online or offline digitally. It also applies to processing personal data outside India if it involves offering goods or services or profiling individuals in India.

2. Consent

The personal data may only be processed for lawful purposes with the individual’s consent. A notice must be provided before seeking consent, detailing the data to be collected and the purpose of processing where the consent can be withdrawn at any time.

3. Rights and Duties of Data Principal or Individuals

The individuals whose data is processed, i.e., data principals, have the right to obtain information about processing, request correction and erasure of personal data, nominate someone to exercise their rights if they die, and seek grievance redressal. Individuals must not provide false information, suppress material facts, or impersonate others because violation of this leads to penalties.

4. Obligation of Data Fiduciaries

Entities determining the purpose and means of processing (data fiduciaries) must ensure data accuracy and completeness, implement security safeguards to prevent data breaches, inform the Data Protection Board of India and affected individuals of a breach occurring and cease retaining personal data once its purpose is fulfilled.

5. Transfer of Personal Data Outside India

The central government will notify countries where data fiduciaries can transfer personal data, subject to specified terms and conditions.

6. Exemptions

The rights of data principals and obligations of data fiduciaries do not apply in cases involving preventing and investigating offences or enforcing legal rights or claims where the central government exempts certain activities from the Bill’s provisions, including processing by government entities for state security and public orders.

7. Data Protection Board of India

The central government will establish the Data Protection Board of India to monitor compliance in various data-related situations, areas or laws such as technology & e-commerce law etc., impose penalties and direct necessary measures in case of data breaches and hear grievance from affected individuals.

8. Penalties

The Digital Personal Data Protection Bill outlines penalties for various offences, including up to Rs 150 crore for data non-compliance and up to Rs 250 crore for failing to implement security measures to prevent data breaches.

READ  Digital Transformation in Banking: Opportunities and Challenges

What are the Key Provisions of the Digital Personal Data Protection Bill of 2023?

Below are some of the key provisions of the Digital Personal Data Protection Bill 2023 are states:

1. Purpose Limitation

Data Controllers are required to collect personal data solely for specific, lawful, and legitimate purposes. As per the new bill, they are not allowed to use or share the data for other purposes without the individual’s consent.

2. Consent of the Individuals

The data controller must obtain individuals’ consent before collecting, using or sharing their personal data. This consent must be freely given, specific, and informed.

3. Data Minimization

Data controllers must only collect the personal data necessary for the intended purpose, avoiding collecting excessive or irrelevant information.

4. Accuracy

Data controllers must ensure that personal data is accurate and up-to-date, taking reasonable steps to correct any inaccuracies or incomplete information.

5. Storage Limitation

Data controllers should not store personal data longer than necessary for the intended purpose.

6. Integrity and Confidentiality

Personal data will be protected from unauthorized access, use, disclosure, or destruction by the data controllers.

7. Accountability

Data controllers are responsible for complaints with the DPDP Bill and must implement appropriate technical and organizational measures to safeguard personal data.

8. Officer of Data Protection

If data controllers manage data for more than 10,000+ data subjects, they must appoint a Data Protection Officer to ensure compliance with the Digital Personal Data Protection Act.

9. Notification of Data Breach

In the event of a data breach, the data controller must notify the Data Protection Authority and the affected individuals within 72 hours of becoming aware of the data breach.

10. Cross-Border Data Transfer

Data controllers may transfer personal data to a third country only if that country provides adequate protection for personal data. The bill provides that the Central government restrict the transfer of personal data to certain countries through a notification.

Role of Introducing the Digital Personal Data Protection Bill, 2023

The Digital Personal Data Protection Bill safeguards digital personal data, which identifies individuals and businesses through several measures, the role of introducing the Digital Personal Data Protection Bill are:

  • It outlines the obligations of Data Fiduciaries, such as entities, individuals, companies, and government bodies that process data activities.
  • It also defines the rights and duties of Data Principals and imposes financial penalties for breaches of these rights, duties and obligations.
  • The bill aims to introduce data protection laws with minimal disruption while ensuring necessary changes in data processing by Data Fiduciaries.
  • It seeks to enhance the ease of living and doing business and to support the growth of India’s digital economy and innovation system.

Glimpse of the Proposed Changes in the Digital Personal Data Protection Bill, 2023

A glimpse of the proposed changes in the Digital Personal Data Protection Bill, 2023 is stated below in brief:

  • A single set of Data Protection Rules will apply across the world.
  • Individuals can refer matters to the Data Protection Authority even if their data is processed outside India.
  • The right to be forgotten will be enhanced, allowing individuals to request the deletion of their data if there is no legitimate reason for retention.
  • Easier access to personal data will be guaranteed, requiring third parties to organize electronic data in a portable format that can be transferred to the individual.
  • Individuals will have the right to easily transfer their data from one provider to another, facilitating the switch between cloud providers.
  • Companies must obtain explicit consent when processing personal data.
  • Companies with over 250 employees must appoint data protection officers.
  • Companies and organizations must notify the Data Protection Authority of the serious breach within 24 hours of the data breach.
READ  The Importance of RegTech in Banking

Additional Provision in the DPDP Bill for Children’s Data

The additional provisions introduced in the Digital Personal Data Protection bill include a special provision for the data of children, defined as individuals under 18. Processing of children’s data requires verifiable consent from the parent or guardian and is restricted from activities detrimental to their well-being, such as behaviour monitoring and targeted advertising.

The bill mandates that data fiduciaries obtain verifiable consent frhjom a child’s legal guardian before processing their personal data. To comply, data fiduciaries would need to verify the age of all users to determine if they are children and obtain parental consent accordingly. This measure could help prevent children from providing false declarations, but it may also reduce secrecy in the digital space and prohibit the negative affect on a child’s well-being.


The Digital Personal Data Protection Bill 2023 is the result of over five years of debate and deliberation and marks the beginning of statutory personal data protection regulation in India. The effectiveness of personal data privacy protection will depend on the regulatory development and institutional arrangements that merge in the coming years. The new law provides a necessary framework and sufficient to ensure data privacy.


  1. Why was the Digital Personal Data Protection Bill of 2023 introduced?

    The DPDP Act of 2023 was introduced to establish comprehensive regulations safeguarding digital data in response to increasing privacy and data security concerns.

  2. When is the Digital Personal Data Protection Bill was enacted?

    The bill received the President’s assent, followed by an official gazette notification, making it law on 11th August 2023.

  3. What is the Digital India Act 2023?

    The Digital India Act of 2023 is founded on the principles of the Digital India Goals 2026, which aim to position India as a key participant in global value chains and prioritize safety and trustworthiness.

  4. What’s the scope of DPDA 2023?

    The scope of the DPDP Act, 2023, extends to safeguarding personal data within India and encompasses the processing of personal data belonging to individuals worldwide.

  5. Why is the new IT Act of 2023 introduced?

    The new IT act is the creation of the checking of facts under the IT amendment Rules 2023 which empowered to determine the information’s validity and decide on its presence digitally.

Trending Posted

Get Started Live Chat