Digital Personal Data Protection Bill Passed by Parliament

Digital Personal Data Protection Bill Passed by Parliament

The Rajya Sabha today passed the Digital Personal Data Protection Bill, 2023 which was already approved by Lok Sabha on August 07.

The Bill seeks “to provide for the processing of digital personal data in a manner that recognises both the right of individuals to protect their personal data and the need to process such personal data for lawful purposes.”

It applies to the processing of digital personal data within the territory of India where the personal data is collected in digital form or in non-digital form and digitised subsequently.

It shall also apply to processing of digital personal data outside the boundaries of India, if such processing is in connection with any activity in connection with the provision of goods or services “to Data Principals within the territory of India.”

“Data Principal” is defined as the individual to whom the personal data relates.

According to the Bill, the personal data can be processed only after taking the consent and for certain “legitimate uses”. “Personal data” is defined under the Bill as “any data about an individual who is identifiable by or in relation to such data.”

It grants authority to the Central Government to exempt government agencies from adhering to the Bill’s provisions on specific grounds like state security, public order, and prevention of offences.

The central government is mandated by the Bill to create the Data Protection Board of India to monitor compliance and imposition of penalties, direct data fiduciaries to take necessary measures in the event of a data breach and to address grievances made by affected persons.

Penalties are also provided for various offences such as for non-fulfilment of obligations for children upto Rs 200 crore, and for failure to take security measures to prevent data breaches, upto Rs 250 crore.

The Bill mandates that consent requests must be accompanied by or preceded with a notice explaining the purpose of processing personal data. Additionally, it bestows specific rights upon individuals, such as the right to access information, request corrections or erasure, and seek resolution for grievances.

Use Of Personal Data For Certain “Legitimate Use”

A “Data Fiduciary”, means any person who alone or in conjunction with other persons determines the purpose of processing of personal data, can process the personal data for the following purposes.

For the specified purpose for which the person has voluntarily provided her personal data to the Data Fiduciary.

For the performance by the State or any of its instrumentalities of any function under any law for the time being in force in India or in the interest of sovereignty and integrity of India or security of the State.

To provide or issue subsidy, benefit, service, certificate, licence or permit wherein the person has previously consented or available from “any database” maintained by the government as notified by the Central Government.

Furthermore, it stipulates that personal data may also be utilized for the execution of functions by the State or its entities as prescribed by existing laws in India, or in the interest of maintaining India’s sovereignty, integrity, or national security.

The Bill further provides that Personal Data can also be processed for fulfilling any obligation under any law for the time being in force in India on any person to disclose any information to the State or any of its instrumentalities, subject to such processing being in accordance with the provisions regarding disclosure of such information in any other law for the time being in force.

It can also be used to comply with any judgment or decree or order issued under any law for the time being in force in India, or any judgment or order relating to claims of a contractual or civil nature under any law for the time being in force outside India.

It also applies to addressing medical emergencies where there’s a risk to the life or immediate health of the Data Principal or any individual, as well as during epidemics and for implementing safety protocols during disasters or instances of public disorder.

According to Mr. Vihang Virkar, Partner, Lumiere Law Partners,

“It is time that India established a robust legal mechanism to protect personal data of its citizens, in line with global standards. The current legal framework in India dealing with protection of personal data is formed of an assortment of legal provisions which can be found in various separate legislation. While India is moving rapidly to become a dominant player in the global digital economy, it is important that the existing collage of data protection laws in India be unified into a single statute. The current form of the Digital Personal Data Protection Bill, which was recently passed in the Lok Sabha, is certainly a step in the right direction as it seeks to create a framework of rights for citizens vis-à-vis their digitised personal data, and also imposes obligations and restrictions on the usage of collected digitised personal data.

The bill, when notified, will bring about some important systemic changes – such as setting up of a Data Protection Board to regulate the regime of digital personal data protection, exemptions being granted to the government in the handling of personal data in certain situations, identification of certain entities/ persons as significant data fiduciaries and casting additional obligations on them, imposing significantly higher penalties for breach, etc. I am hoping to see the bill being passed to become law soon.”