Cabinet Approves Draft Digital Personal Data Protection Bill: Set to Become an Act in the Monsoon Session

Cabinet Approves Draft Digital Personal Data Protection Bill: Set to Become an Act in the Monsoon Session

The Union Cabinet has approved the draft Digital Personal Data Protection Bill, 2023, (DPDP) which is expected to be tabled in the upcoming Monsoon session of Parliament for consideration and passage.

Once the bill is passed, the law will become India’s core data governance framework, six years after the Supreme Court declared privacy as a fundamental right.

The Digital Personal Data Protection Bill, 2022 is aimed at safeguarding personal data.

Key provisions of the bill include requiring companies collecting data to cease retaining personal information or remove any means by which personal data can be linked to specific data principles.

According to the draft, the Data Protection Board, a new regulatory body to be set up by the government — can impose a penalty of up to Rs. 500 crores if non-compliance by a person is found to be significant.

The bill proposes six types of penalties for non-compliance, including up to Rs. 250 crores for failure to take reasonable security safeguards, up to Rs. 200 crores for failure to notify the Board and affected users in the event of a personal data breach, and up to Rs 200 crore for non-fulfilment of additional obligations related to children.

The Bill has omitted the clause for compensation to affected data principals and proposed to impose a penalty of Rs. 10,000 on individuals providing unverifiable or false information while applying for any document, service, proof of identity or address, or registering a false or frivolous complaint with a data fiduciary (who collects and processes the data) or with the board.

The Bill defines a ‘Data Principal’ as an ‘individual to whom the personal data relates and where such individual is a child includes the parents or lawful guardian of such a child’. Organisations such as banks will have to explicitly state the purpose of collecting data.

The Key features of the bill are:

(a) Applicability:

The Bill will apply to the processing of digital personal data within India where such data is: (i) collected online, or (ii) collected offline and is digitised. It will also apply to the processing of personal data outside India, if it is for offering goods or services or profiling individuals in India. Personal data is defined as any data about an individual who is identifiable by or in relation to such data. Processing has been defined as an automated operation or set of operations performed on digital personal data. It includes collection, storage, use, and sharing.

(b) Consent:

Personal data may be processed only for a lawful purpose for which an individual has given consent. A notice must be given before seeking consent. Notice should contain details about the personal data to be collected and the purpose of processing. Consent may be withdrawn at any point in time. Consent will be deemed given where processing is necessary for: (i) performance of any function under a law, (ii) provision of service or benefit by the State, (iii) medical emergency, (iv) employment purposes, and (v) specified public interest purposes such as national security, fraud prevention, and information security. For individuals below 18 years of age, consent will be provided by the legal guardian.

(c) Rights and duties of data principal:

An individual, whose data is being processed (data principal), will have the right to: (i) obtain information about processing, (ii) seek correction and erasure of personal data, (iii) nominate another person to exercise rights in the event of death or incapacity, and (iv) grievance redressal. Data principals will have certain duties. They must not: (i) register a false or frivolous complaint, (ii) furnish any false particulars, suppress information, or impersonate another person in specified cases. Violation of duties will be punishable with a penalty of up to Rs 10,000.

(d) Obligations of data fiduciaries:

The entity determining the purpose and means of processing, called data fiduciary, must: (i) make reasonable efforts to ensure the accuracy and completeness of data, (ii) build reasonable security safeguards to prevent a data breach and inform the Data Protection Board of India and affected persons in the event of a breach, and (iii) cease to retain personal data as soon as the purpose has been met and retention is not necessary for legal or business purposes (storage limitation). The storage limitation requirement will not apply in case of processing by government entities.

(e) Transfer of personal data outside India:

The central government will notify countries where a data fiduciary may transfer personal data. Transfers will be subject to prescribed terms and conditions.

(f) Exemptions:

Rights of the data principal and obligations of data fiduciaries (except data security) will not apply in specified cases including prevention and investigation of offences, and enforcement of legal rights or claims. Moreover, the central government may, by notification, exempt certain activities from the application of provisions of the Bill. These include: (i) processing by government entities in the interest of the security of the state and public order, and (ii) research, archiving, or statistical purposes.

(g) Data Protection Board of India:

The central government will establish the Data Protection Board of India. Key functions of the Board include: (i) monitoring compliance and imposing penalties, (ii) directing data fiduciaries to take necessary measures in the event of a data breach, and (iii) hearing grievances made by affected persons. The central government will prescribe: (i) composition of the Board, (ii) selection process, (iii) terms and conditions of appointment and service, and (iv) manner of removal.

(h) Penalties:

the Bill stipulates penalties for various offences such as: (i) up to Rs. 150 crores for non-fulfilment of obligations for children and (ii) up to Rs. 250 crores for failure to take security measures to prevent data breaches. Penalties will be imposed by the Board after conducting an inquiry.

The draft bill will now be tabled in the Parliament, and will become an act once approved by the Parliament. The monsoon session of Parliament will be held from 20 July to 11 August.