THE DIGITAL PERSONAL DATA PROTECTION BILL,2023

ABSTRACT

The right to privacy in India is a fundamental right that can be understood through deduction or implied rights, as stated in Article 21 of the Constitution. How while ruling on the Puttaswamy Judgement, it stressed that strict laws on data protection and privacy must be enacted as soon as possible. The importance of data protection legislation in protecting the personal information of Indian data subjects was evident due to the significant impact of the digital economy on people’s privacy. An advisory body was established to formulate a set of data protection laws, based on this information. India is almost ready to adopt such a law after 6 years. The journey had witnessed many versions of the draft bills from 2017. In the Indian Parliament, the Central Government introduced the Digital Personal Data Protection Bill, 2023 (“DPDP Bill”) in the Lok Sabha on August 3, 2022, passed in the Lok Sabha on 7^th August 2023, and on 9^th August 2023 it was passed by the Rajya Sabha. The DPDP Bill, 2023 is the fifth repetition of India’s draft data protection law and this bill is likely to be based on the Digital Personal Data Protection Bill, 2022 published by the Ministry of Electronics and Information Technology on 18 November 2018, which was open for public consultation^[1].

This paper analyses the need for the bill, its key features, concerns related to the bill, and the positive aspects of the bill in depth.

KEYWORDS

Personal Data, Digit Personal Data, Data Fiduciaries, Restrictions, Data Protection Bill.

INTRODUCTION

The origins of the bill date back to 2011 when the Department of Personnel, Public Complaints, and Pensions began discussing the 2011 Right to Privacy Bill. Drafts of this bill covered privacy reform, data, and surveillance up to 2014, according to The Internet The for-profit Freedom Foundation went no further. In October 2012, a planning commission composed of a group of experts was set up to identify privacy issues in India that need to be addressed. This committee, headed by Judge AP Shah, produced a comprehensive report on international and national standards and recommended privacy laws. In 2017, MeitY established the Privacy Expert Committee, chaired by Judge BN Srikrishna, to “ensure the development of the digital economy while ensuring the security of citizens’ personal data,” according to the ministry’s official website. The committee published a 176-page report – the party approached MeitY and proposed the Personal Data Protection Act 2018 in July of the same year. There are at least three versions of the law, but it wasn’t until 2022 that the new version of the law was finally put forward as a project for public consultation.

The Lok Sabha passed the Digital Personal Data Protection Bill, 2023 (DPDPB 2023) on 3^rd August, which had been highly debated for some time. On August 7^th, the Lok Sabha approved a bill that seeks to “provide for the processing of digital personal data in a manner that recognizes both the right of individuals to protect their personal data and the need to process such personal data for lawful purposes^[2],” according to Ministry of Electronics and Information Technology (MeitY). During the introduction of the DPDP Bill in Lok Sabha, the MPs of opposition parties protested against its multiple provisions and demanded that it be sent to a parliamentary committee for further scrutiny and recommendations. With the widespread use of technology in our daily routines, personal information is at risk of being misused by individuals. Every day, individuals share their personal information for various purposes, including cab reservations and online grocery purchases, which can compromise their right to privacy.

RESEARCH METHODOLOGY

This paper is built upon a comprehensive analysis of the pre-existing documents and literature available across various online platforms.

REVIEW OF LITERATURE

With so much personal information stored on the Internet, it is extremely important to put in place regulations to protect it. The main purpose of the Data Protection Act 2023 was found to be to introduce a data protection framework to protect people’s personal information.

WHAT ARE THE NEEDS FOR THE DPDP BILL, 2023?

Personal data is information relating to an identified or identifiable natural person. Businesses and government agencies process personal data to provide goods and services.

The processing of personal data makes it possible to understand the preferences of individuals, which can be useful for personalization, targeted advertising and the development of recommendations. The processing of personal data can also serve criminal prosecution.

Uncontrolled processing can have a negative impact on the privacy of individuals, which is recognized as a fundamental right. They can cause harm to people, such as financial loss, reputational damage, and profiling.

As technologies such as artificial intelligence advance and permeate various aspects of everyday life, the potential for data collection, analysis, and manipulation grows exponentially.

Without effective data protection measures, people’s personal information is at risk of being exploited, leading to privacy breaches, identity theft, and other malicious activities.

WHAT ARE THE KEY FEATURES OF THE DPDP, 2023?

Applicability– The Bill applies to the handling of advanced individual information inside India where such information is: (i) gathered online, or (ii) gathered offline and is digitized. It will likewise apply to the handling of individual information outside India in the event that it is for offering goods and services in India. Individual information is characterized as any information recognizable about a person by or comparable to such information. Handling has been characterized as completely or to some extent mechanized activity or set of tasks performed on advanced individual information. It incorporates assortment, capacity, use, and sharing.

Consent– The consent given by the Data Principal must be (a) without any hindrance; (b) only for a specific, well-defined purpose; (c) each data principal must know all aspects of what is collected, (d) without any conditions; (e) is worded in a way that makes its meaning clear; (f) take an express affirmative action; (g) and must express consent to the processing of their personal data for specific purposes and limited to the personal data necessary for the purposes only that particular destination.

Rights and Duties of Data Principal- The person whose data is being processed (data principal) will have the right to (i) collect information about the processing, (ii) request correction and deletion of personal data, (iii) designate someone else to exercise rights in the event of death or incapacitation, and ( iv) dealing with complaints. The data custodian will have certain obligations. They may not: (i) register false or frivolous claims, and (ii) provide false information or impersonate others under specific circumstances. Violation of the obligation will result in a fine of up to Rs 10,000.

Obligations of Data Fiduciaries– A Data Fiduciary under the Bill may (a) engage in, appoint, employ, or otherwise relate to a data controller; (b) ensure completeness, accuracy, and consistency; (c) take appropriate technical and organizational measures; (d) implement reasonable security measures to prevent breaches of personal data; (e) will notify each relevant data controller of the breach in the prescribed form and manner; f) erase and cause to be erased all personal data where the Data Principal has withdrawn consent or specified purpose is no longer being served; (g) publish, in the prescribed manner, the business contact details of the Data Protection Officer, if any, or of a person who may respond on behalf of the Data Fiduciary to questions inquire, if any,  by the Data Principal about their personal data processing and (h) establish an effective mechanism for resolving the grievances of Data Principals.

Cross-border transfer of personal data– Personal Data may be transferred by a Data Fiduciary to any other country or territory for processing unless the central government restricts such transfer to any notified country. In other words, the DPDP Bill adopts a blacklisting approach that implies that personal data is freely transferable unless the proposed transfer is to a “blacklisted” territory or country. of the central government. However, the DPDP Bill states that if any other legislation or industry rule offers greater safeguards or limitations regarding the cross-border transfer of personal data from India, whether pertaining to specific personal data or a collection of data controllers, that particular law or regulation will take precedence.

Exemptions– The rights of data principals and the obligations of data fiduciaries (except data security) will not apply in specific cases. The bill’s application might be waived for specific activities through a notice issued by the central government.  Including: (i) processed by government agencies in the interest of national security and public order, and (ii) for research, archival or statistical purposes.

Data Protection Board of India– The Data Protection Bill introduces the concept of the Data Protection Board of India (“Ban”), which will be established by the central government. The main functions of the board include: (i) monitoring compliance and applying penalties, (ii) directing data fiduciaries to take action in the event  of a data breach, and (iii) hearing grievances made by affected persons. Challenges to the rulings made by the Board will be within the jurisdiction of the Telecom Disputes Settlement and Appellate Tribunal.

Enhanced notice requirements: While the 2022 draft proposes an obligation to disclose the description of the personal data collected and the purposes for which it is processed, the bill appears to have improved these requirements slightly to include the manner in which the controller data can exercise their rights regarding the recovery of personal data, the resolution of the complaint, and also require the procedure for filing a complaint with the Board to be specified in the notice.

Penalties- The bill’s schedule provides for penalties for various offenses such as (i) Rs 200 crore for failure to comply with obligations towards children and (ii) A fine of 250 crore rupees will be levied due to the non-implementation of security measures aimed at preventing data breaches. The Board will assess the situation through an investigation before imposing the penalties.

WHAT ARE THE CONCERNS RELATED TO THE DPDP BILL, 2023?

Exemptions to the state may have adverse implications for privacy- The state’s processing of personal data has received several exemptions under the bill. According to Article 12 of the Constitution, the State consists of (i) central government, (ii) state government, (iii) local agencies, and (iv) agencies and businesses established by the government. These exemptions can cause some problems. 

Risk of surveillance- The proposed legislation grants authority to the central government to waive certain regulations for data processing carried out by government entities, citing reasons related to state security and upholding public order. The legislation does not impose an obligation on government bodies to erase personal data once its processing purpose is fulfilled. Leveraging these exceptions, under the pretext of national security, a governmental body could amass citizens’ information to construct a comprehensive surveillance profile.

Regulating harm arising from the processing of personal data- The bill does not cover the risk of harm arising from the processing of personal data. The Srikrishna Commission has observed that harm is a possible consequence of the processing of personal data. Harm can include physical loss such as financial loss and loss of access to benefits or services. It can also include identity theft, loss of reputation, discrimination, and unreasonable tracking and profiling.^[3]

Right to data portability and the right to be forgotten not provided: The bill does not provide data portability and the right to be forgotten. Both Bill 2018 and Bill 2019 introduced in Parliament provide for these rights^[4]. The Joint Parliamentary Committee, in considering the 2019 bill, recommended preserving these rights. The Srikrishna Commission observed that a strong set of data control rights is an essential part of data protection law. These rights are based on the principles of autonomy, transparency, and accountability to give individuals control over their data.

Cross-border transfer of data: The bill provides that the central government can restrict the transfer of personal data to certain countries through a notice. This involves the transfer of personal data to all other countries without any apparent restrictions. This mechanism may not provide adequate protection. In the absence of strict data protection laws in another country, data stored outside of India may be vulnerable to breach or unauthorized sharing with foreign governments as well as private entities. The purpose of regulating the transfer of personal data outside of India is to protect the privacy of Indian citizens. In the absence of strict data protection laws in another country, the data Stored data can be vulnerable to breaches or unauthorized sharing with governments as well as private individual entities.

The 2019 Bill required that for certain categories of data, transfer to a country should be allowed only if it provides for an adequate level of protection^[5]. The 2022 Draft Bill took a different approach, with the central government notifying countries where any personal data may be transferred^[6]. Both of these mechanisms require a case-by-case assessment of the standards of each country to which data can be transferred. The selective country restriction mechanism does not require such a comprehensive review.

Shorter tenure may affect the Independence of Data Protection Bill- The short-term appointment (2 years) with the possibility of extension may affect the independent operation of the Board of Directors. In the court case, the Supreme Court (2019) has found that short-term appointments as well as reappointment provisions increase the influence and control of the executive branch.

Provisions for children: Under the bill, a child is defined as a person under the age of 18. In other jurisdictions such as the United States, United Kingdom, and the European Union, the age range ranges from 13 to 16 years old. The bill requires all data trustees to obtain verifiable consent from a legal guardian before processing a child’s personal data. A significant number of children will need parental consent for services they can easily access right now. Questions arise as to how the data processor will verify the children’s ages and obtain parental consent. If every data trustee verified the age of anyone signing up for their service, anonymity in the digital realm could decrease.

WHAT ARE THE POSITIVE ASPECTS OF THE DPDP BILL, 2023?

Easy to understand and accessible:  The bill is written in a concise, clear and simple manner with minimal legitimacy and uses lots of illustrations. This makes it easier to understand and accessible to the general public.

Principle-based approach:  Due to the pace of innovation and disruption in the technology sector, the bill focuses on principles and results rather than methods and processes. This will improve the life of the invoice and also give the business the flexibility to comply.

Light-touch approach: Businesses will benefit from the bill’s easy and favorable approach to personal data protection. It signifies the government’s trust in the private sector to act as a responsible custodian of their customers’ personal data.

Strengthening the Startup Ecosystem: The least intrusive and sensible data protection regime will attract global technology investment. The bill would benefit startups as they would be exempt from certain obligations when notified. This will give new impetus to the startup ecosystem and enhance its global competitiveness

SUGGESTIONS

Clear definition of personal data: The bill should provide a clear and comprehensive definition of personal data, including any information that directly or indirectly identifies an individual. This will ensure that all types of personal data are protected by law.

Data retention and minimization: The bill should establish guidelines for data retention and minimization, specifying the maximum duration for which personal data can be stored and the need to minimize the collection and storage of personal data1. This will help prevent unnecessary accumulation of personal data and enhance data privacy.

Data breach notification: The bill should mandate data controllers to promptly notify individuals and relevant authorities in the event of a data breach. This will enable individuals to take necessary steps to protect themselves and allow authorities to investigate and take appropriate action.

Enforcement and penalties: The bill should establish a robust enforcement mechanism with strict penalties for non-compliance. This will serve as a deterrent and ensure that organizations take data protection seriously.

Public awareness and education: The bill should include provisions for public awareness campaigns and educational initiatives to inform individuals about their rights and responsibilities regarding personal data protection5. This will help create a culture of data privacy and empower individuals to make informed choices.

CONCLUSION

In conclusion, the Digital Personal Data Protection Bill, 2023 is an important piece of legislation that seeks to protect personal data in India. The legislation pertains to the handling of digital personal information within India, whether it’s gathered through online means or obtained offline and then digitized. The bill stipulates several requirements pertaining to the rights of data subjects, data retention and minimization, obligations of data controllers, consent and purpose limitation, data breach notification, enforcement and penalties, and public awareness and education. By incorporating these provisions, the bill can provide a strong framework for protecting personal data and ensuring the privacy and security of individuals’ information. The bill is a significant step towards safeguarding personal data in India and promoting a culture of data privacy.

RITIKA SINGH

CMR UNIVERSITY SCHOOL OF LEGAL STUDIES

REFERENCES

1. Digital Personal Data Protection Bill, 2023, Rachit Bahl https://www.mondaq.com/india/data-protection/1353670/digital-personal-data-protection-bill-2023–key-highlights (Last Visited- August 2023)
2. What is the Digital Personal Data Protection Bill 2023?, By Aisiri Amin

https://lifestyle.livemint.com/smart-living/innovation/explained-digital-personal-data-protection-bill-2023-111691492228518.html (Last Visited- August 2023)

•  A Study On The Digital Personal Data Protection Bill, 2023 https://www.mondaq.com/india/data-protection/1353488/a-study-on-the-digital-personal-data-protection-bill-2023? (Last Visited- August 2023)

4.  Digital Personal Data Protection Bill, 2023

https://blog.forumias.com/digital-personal-data-protection-bill-2023-explained-pointwise/  (Last Visited- August 2023)

•  Committee Report on Draft Personal Data Protection Bill, 2018

https://prsindia.org/files/bills_acts/bills_parliament/2019/Committee%20Report%20on%20Draft%20Personal%20Data%20Protection%20Bill,%202018_0.pdf  (Last Visited- August 2023)

6. Clause 26, The Personal Data Protection Bill, 2018, as released by the Ministry of Electronics and Information Technology. 

https://www.meity.gov.in/writereaddata/files/Personal_Data_Protection_Bill,2018.pdf (Last Visited- August 2023)

7.   Clause 33 and 34, The Personal Data Protection Bill, 2019, as introduced in Lok Sabha.

http://164.100.47.4/BillsTexts/LSBillTexts/Asintroduced/373_2019_LS_Eng.pdf  (Last Visited- August 2023)

• Clause 17, The Draft Digital Personal Data Protection Bill, 2022, Ministry of Electronics and Information Technology, November 18, 2022.

https://prsindia.org/files/bills_acts/bills_parliament/2022/The%20Digital%20Personal%20Data%20Potection%20Bill,%202022.pdf  (Last Visited- August 2023)

---

[1] Digital Personal Data Protection Bill, 2023, Rachit Bahl

[2] What is the Digital Personal Data Protection Bill 2023? By Aisiri Amin

[3] Committee Report on Draft Personal Data Protection Bill, 2018

[4] Clause 26, The Personal Data Protection Bill, 2018, as released by Ministry of Electronics and Information Technology. 

[5]  Clause 33 and 34, The Personal Data Protection Bill, 2019, as introduced in Lok Sabha.

[6] Clause 17, The Draft Digital Personal Data Protection Bill, 2022, Ministry of Electronics and Information Technology, November 18, 2022.