Digital Banking

The Digital Personal Data Protection Bill, 2023

On August 9, the Rajya Sabha passed the Digital Personal Data Protection Bill, 2023. The Bill establishes standards for how businesses should treat data digitally, shows a dispute resolution process, and calls for establishing an Indian Data Protection Board. Since this transforms the digital economy, we will proceed with all steps under proper checks, balances, and verification. It needs to be a strong mechanism.

The Bill focuses on digital personal data, and non-personal data are not covered by the Digital Personal Data Protection Bill. The Information Technology Act, 2000 (“IT Act”)¹, Section 43A, and the Information Technology (Reasonable Security Practises and Procedures and Sensitive Personal Data of Information) Rules, 2011 (“SPDI Rules”) will be replaced by the DPDP Bill once it is into force.

Purpose of the Bill

The purpose of this Act is to establish guidelines for processing digital personal data in a way that recognizes the necessity to process personal data for legitimate reasons and the right of persons to protect their data.

Applicability

Only applies to digital personal data – The DPDP Bill only applies to personal data gathered digitally or non-digitally and later converted to a digital format.

Application outside of India – The DPDP Bill only covers processing digital personal data outside of India if it is necessary to supply goods or services to data principals (also known as data subjects) in India.

Exclusions – The following are exempt from the DPDP Bill’s application: (i) personal data processed by an individual for any domestic or personal purpose; and (ii) personal data made publicly available by the data principal herself or by any other person by a legal duty.

Digital Personal Data

Personal data is any information on a person who may be identified from or in connection with that information. Processing is an automated action or series of operations carried out on digitally stored personal data. It comprises collecting, keeping, using, and sharing.

New Digital Personal Data Protection Bill

Data will continue to be the most crucial element in our booming digital economy. As it establishes the obligations and liabilities of “Data Fiduciaries,” who gather, store, and process the data, the DPDP Bill 2023 is a much-needed step in the right direction.

The law calls for fines up to Rs. 250 crores per occurrence in case of a data breach, which is less than the proposed Rs. Five hundred crores in the earlier draught made public in November of last year. The punishment can be multiplied by that many occurrences because it will depend on how many instances there are.

The Bill imposes reasonable requirements on data fiduciaries to ensure digital personal data is handled responsibly. The law has been amended to include consent management, extra duties for Significant Data Fiduciaries, and verifiable parental or guardian consent.

In the event of infractions, the regulations also allow the government to prohibit a corporation or levy fines. “If any fiduciary continues breaking the law after two offences or receiving two penalties, the government may rest Government the platform.

Because they will be held responsible for a data breach between a data fiduciary and a data principal, data fiduciaries must form stronger agreements with their partners or contractors.

Salient Features of the Digital Personal Data Protection Bill, 2023

The following provisions of the Bill protect digital personal data (i.e., information that can be used to identify a person):

• The rights and obligations of Data Principals (the person to whom the data relates).
• The rights and obligations of Data Fiduciaries (that is, people, businesses, and government entities who process data) for data processing.
• Financial penalties for violations of rights, duties, and obligations.

Aim of the Bill

The Bill aims to achieve the following: 

• The Bill seeks to improve the ease of living and doing business.
• Also, enable India’s digital economy and innovation ecosystem. 
• It also aims to introduce data protection law with the least disruption while ensuring the essential shift in how data fiduciaries use data.

Main Principles 

The following seven principles form the basis of the Bill: 

• The idea is that personal data should only be used with consent, legally, and transparently.
• The principle of purpose limitation (only using personal information for those purposes mentioned at the time the Data Principal gave consent).
• The idea of data minimization (collecting just the minimum amount of personal information required to fulfil a specific goal).
• The principles of data accuracy (ensuring that data is accurate and up-to-date.
• Storage limitation principle (only keeping data for as long as it is required for the designated purpose), and data limitation.
• The principles of accountability (via the adjudication of data breaches, violations of the Bill’s provisions, and the enforcement of fines for the violations).
• And the principle of appropriate security protections.

The Innovative Features of the Bill

The Bill is concise and SARAL, or simple, accessible, rational, and actionable law, since it:

• Uses clear language.
• Includes examples to clarify the meaning.
• Lacks qualifying clauses that are no provisos (“Provided that,” etc.).
• And has few cross-references.

For the first time, it acknowledges the participation of women in parliamentary law-making by using the pronoun “she” rather than “he”.

Rights for Individual

The following rights for individuals are provided under the Bill:

• The right to obtain information about processed personal data. 
• The right to modify and delete data. 
• The right to grievance redressal, and
• The option to name a representative to exercise rights in the event of a disease or disability.

An affected Data Principal may contact the Data Fiduciary to exercise their rights. If unsatisfied, they can easily file a complaint with the Data Protection Board against the Data Fiduciary.

 The obligation of the Data Fiduciary

The following obligations are imposed on the data fiduciary by the legislation:

• Having security measures in place to avoid personal data breaches.
• Notifying the Data Protection Board and the affected Data Principal when a breach occurs.
• To destroy personal information when it is no longer required for the intended use.
• To delete personal information if consent is withdrawn.
• To have an officer who can answer questions from Data Principals and a grievance redressal method in place.
• Performing periodic Data security Impact Assessments and engaging a data auditor to ensure greater data security is essential for the additional responsibilities that must be met concerning Data Fiduciaries designated as Significant Data Fiduciaries.

Children’s Personal Information

The Bill also protects children’s personal information.

• According to the Bill, a Data Fiduciary may only process children’s personal information with their parent’s permission.
• The Bill forbids processing that harms children’s well-being or involves surveillance, behavioural monitoring, or targeted advertising.

Exemptions

 The following are the exemptions listed in the Bill:

• For security, sovereignty, public order, etc., for the notified agencies.
• For startup companies or other designated groups of Data Fiduciaries.
• For research, archiving, or statistical purposes.
• To carry out judicial or regulatory duties
• To prevent, identify, investigate, or prosecute crimes.
• To process personal information of non-residents under foreign contracts in India.
• For approved mergers, demergers, etc.
• And to find defaulters and their financial assets, among other things.

Critical Functions of the Board 

The following are the Board’s primary functions:

• To issue directives for rectifying or mitigating data breaches. 
• To investigate complaints and data breaches and impose monetary penalties.
• To refer complaints for alternative dispute resolution and accept voluntary undertakings from data fiduciaries. 
• To recommend the Government to block government, app, etc., of a data fiduciary found to violate the Bill’s provisions repeatedly.

Penalties 

Financial penalties for violations – Depending on the type of violation, the DPB may impose fines of up to INR 250 crore after an investigation. The severity and length of the breach, the type of personal data impacted, the violation’s recurrent nature, etc., may all be considered when determining the amount of fines.

No Compensation – Payment of compensation to data principals whose personal data has been compromised is not covered under the Digital Personal Data Protection Bill. This is a departure from the IT Act, which permits impacted data principals to pursue damages from a data fiduciary who neglected to put in place appropriate security measures and, as a result, caused unjustified loss or gain. However, the DPDP Bill imposes obligations on data principals, including the need to provide only verifiably authentic information, refrain from using a false identity when providing personal data for a specific purpose, and refrain from filing a baseless grievance or complaint with a data fiduciary or the DPB. The data principals may be fined up to INR 10,000 for failing to uphold these obligations.

Conclusion

The DPDP Bill of 2023 is crucial in the current digital era, where the collection and processing of personal data is increasing. This helps prevent data breaches resulting in monetary loss and reputational damage. In conclusion, the Digital Personal Data Protection Bill of 2023 in India is crucial for preserving People’s right to privacy, building trust in digital transactions, encouraging responsible data usage, and offering a legislative foundation for data protection in the quickly changing digital environment.

FAQs

1. https://www.meity.gov.in/content/information-technology-act-2000-0