A New Age of Privacy: Understanding India’s Digital Personal Data Protection Bill 2023

Recognizing the need to safeguard the privacy of its citizens, India has introduced the Digital Personal Data Protection (DPDP) Bill. Both the lower house (Lok Sabha) and the upper house (Rajya Sabha) of Parliament, have passed the bill, marking a significant milestone six years after the Supreme Court’s landmark declaration of the “Right to Privacy” as a fundamental right. This comprehensive data protection legislation aims to regulate personal data collection, processing, and sharing. The salient provisions of the Bill are briefly explained below.

Empowering Individuals: Rights and Duties

One of the salient features of the Bill is the empowerment of individuals, referred to as Data Principals, in controlling their personal data. The legislation grants individuals the right to access summaries of their data, update information, nominate another person to exercise rights in the event of death or incapacity, seek correction of inaccuracies and even erase data under certain circumstances. Not only does the Bill provide rights, but it also outlines the duties of individuals. These include ensuring the authenticity of information, compliance with applicable laws, and refraining from registering false grievances.

Regulating Data Processors: The Role of Data Fiduciaries

Data Fiduciaries, the entities responsible for processing personal data, are placed under stringent obligations. They must provide readily available means of grievance redressal and respond to grievances within a prescribed period. Additionally, they must implement appropriate technical and organizational measures for compliance with the Bill, notify incidents of data breach to the Board, as well as the affected Data Principal, failing which could entail a penalty up to INR 200 Crore. Further, the Data Fiduciary or Processor can be penalised up to INR 250 crores for failure to ensure reasonable security safeguards to prevent data breaches.

Special Provisions: Cross-border Data Transfers and Data Localization

The Bill takes a more palatable ‘black-list’ approach to transfer of personal data outside India as against the earlier draft released in November 2022 which envisaged a ‘white-list’ approach. It now allows cross-border transfers of personal data to all countries or territories except those specifically identified by the Central Government through notifications. Further, unlike the previous iteration the Bill does not prescribe local storage or localization requirements. This could help businesses optimize storage infrastructure costs and simplify compliance.

A Robust Governance Structure: The Data Protection Board of India

To oversee and enforce the provisions of the Act, the Bill establishes the Data Protection Board of India. This independent body will have the power to direct remedial measures, inquire into personal data breaches, and impose penalties. The Board further has power to direct the Data Fiduciary to adopt any urgent measures in cases where there is a breach of personal data, to mitigate harm or remedy personal data breach in addition to having discretionary powers to accept voluntary undertaking with respect to matters related to non-compliance.

Consent Mechanism: The Role of a Consent Manager

The Bill also introduces the construct of ‘consent managers’, who will serve as a single point of contact for users to offer, withdraw and manage their consent via an ‘accessible, transparent and interoperable’ platform. The bill also mandates that these consent managers be registered with the Data Protection Board and will be ‘accountable’ to the users, or data principals. The bill empowers consent managers to file complaints on behalf of users, which will streamline the process of consent management.

Appeals, Mediation, and Voluntary Undertakings

The Bill provides a clear pathway for appeals to the Appellate Tribunal and emphasizes timely resolution of disputes. It also introduces the concept of mediation and voluntary undertakings, offering alternative avenues for resolving issues related to personal data.

Conclusion

India’s DPDP Bill marks a significant step towards a new era of privacy and security. By empowering individuals, regulating data processors, and establishing a robust governance structure, the Bill sets a strong foundation for protecting personal data. The Bill also lays the foundation for various other laws such as the Digital India Act and industry-specific laws around privacy and data protection to augment India’s march towards mainstream adoption of AI and other emerging technologies. While it addresses the need for robust data protection, its implementation will require careful balancing of various interests, including individual privacy, national security, and economic growth.