The government has tabled the Digital Personal Data Protection (DPDP) Bill, 2023 in the Lok Sabha. The bill proposes data protection legislation that allows the transfer and storage of personal data in some countries while raising the penalty for violations. Also, the proposed legislation stipulates consent before collecting personal data and provides for stiff penalties of as much as Rs 5 billion on persons and companies that fail to prevent data breaches including accidental disclosures, sharing, altering, or destroying personal data.
The bill applies to the processing of “digital personal data” and excludes from its ambit both non-personal data and data in non-digital formats. This applies to processing digital personal data within the Indian territory and processing digital personal data outside India if such processing is in connection with any profiling or offering goods or services to data principals within India. However, it does not apply to non-automated processing, processing for domestic or personal purposes by individuals, and personal data about individuals contained in records that have been in existence for at least 100 years.
As per the bill, the personal data of an individual can only be processed for a lawful purpose for which the concerned individual has given consent or is deemed to have given her consent. It mentions that consent should be free, specific, informed, and unambiguous. Though a clause of deemed consent has been added, that refers to situations where consent is not expressly needed. Cross-border data flow to certain countries and territories has been permitted, along with relaxations in data localisation requirements.
Further, to determine non-compliance and imposition of penalty, a data protection board will be set up, which will be digital by design and will also accept voluntary undertakings. The bill permits data fiduciaries to retain personal data for business purposes even after the purpose for collection is no longer served by its retention. In the bill, a penalty of Rs 2 billion is proposed if the data fiduciary or the data processor fails to report a personal data breach to the data protection board and affected individuals. Also, for failure to ensure reasonable security safeguards, the data fiduciary or processor can be penalised up to Rs 2.5 billion.
According to Rajeev Chandrasekhar, Minister of State for Electronics and Information Technology and Skill Development and Entrepreneurship, the DPDP Bill introduced in the parliament is a very significant milestone in the government’s vision of global standard cyber laws for India’s $1 trillion digital economy and India Techade. He said that the Ministry of Electronics and Information Technology has developed this bill after extensive consultations with all stakeholders. As per the minister, the new bill, after it is passed by the parliament, will protect the rights of all citizens, allow the innovation economy to expand, and permit the government’s lawful and legitimate access to national security and emergencies like pandemics, earthquakes, etc.