Explained: Why Digital Personal Data Protection Bill Matters

The Narendra Modi government's Personal Data Protection Bill received the approval of Parliament on Wednesday. This legislation outlines mandates for private companies engaged in online data collection while making allowances for government entities and law enforcement agencies. The Bill's enactment comes after six years since the Supreme Court established the 'Right to Privacy' as a fundamental right. It encompasses measures aimed at preventing the improper utilization of users' personal data by online platforms.

The Digital Personal Data Protection Bill of 2023 aims to regulate the processing of digital personal data while upholding individuals' data protection rights and the legitimate need to use such data for lawful purposes. The bill safeguards data that can identify individuals and outlines the responsibilities of entities (Data Fiduciaries) processing such data, the rights of the individuals (Data Principals) to whom the data pertains and penalties for breaches.

The bill also strives to achieve the following objectives:

1. Introduce data protection measures with minimal disruption, ensuring Data Fiduciaries bring necessary changes in data processing.
2. Improve the quality of life and business processes.
3. Foster India's digital economy and innovation ecosystem.

The bill is founded upon seven principles:

1. Consent-based, lawful, and transparent use of personal data.
2. Limiting data use to the purpose specified during consent.
3. Collecting only essential personal data for the specified purpose.
4. Ensuring data accuracy and currency.
5. Storing data only as long as required for the designated purpose.
6. Implementing reasonable security measures.
7. Holding entities accountable through penalties for breaches and violations.

Noteworthy features of the bill include its concise and straightforward nature, with clear language and minimal cross-referencing. Additionally, it employs gender-neutral language by using "she" alongside "he" for the first time in parliamentary law-making, acknowledging women's participation.

The bill grants individuals several rights, including:

1. Access to information about processed personal data.
2. The right to correct and erase data.
3. Redressal of grievances.
4. The right to nominate someone to act on their behalf in cases of incapacity or death.

Data Principals can initially approach the Data Fiduciary to enforce their rights. If unsatisfied, they can escalate their complaints to the Data Protection Board.

The bill outlines various obligations for Data Fiduciaries, such as:

1. Implementing security measures to prevent data breaches.
2. Notifying Data Principals and the Data Protection Board of breaches.
3. Erasing data when no longer needed or upon withdrawal of consent.
4. Establishing a grievance redressal system and appointing a designated officer.
5. Additional responsibilities for Significant Data Fiduciaries, including data audits and periodic assessments.

Children's personal data is protected under the bill. Processing their data requires parental consent and is prohibited if it harms their well-being or involves tracking, monitoring, or targeted advertising.

Exemptions under the bill cover areas such as:

1. National security and public order.
2. Research, statistics, and archiving.
3. Specific categories of Data Fiduciaries like startups.
4. Legal rights enforcement.
5. Judicial or regulatory functions.
6. Offence prevention, detection, investigation, or prosecution.
7. Processing non-resident data under foreign contracts.
8. Approved mergers or demergers.

The primary functions of the Data Protection Board include:

1. Directing remedies for data breaches.
2. Investigating breaches and complaints, imposing fines.
3. Referring to disputes for resolution and accepting voluntary commitments.
4. Advising government action against repeat violators.

• Digital India
• Digital Personal Data Protection Bill 2023
• data privacy