fb
+91-9717109099 +91-9717344473 info@estartindia.com Knowledge Hub Income Tax eFiling GST Filing ExpertsDesk Login / Register Cart


Digital Personal Data Protection Bill 2023

Digital Personal Data Protection Bill 2023

What is the Digital Personal Data Protection Act 2023?

The following are some ways that the Act safeguards digital personal data, or information that may be used to identify an individual: 

• The responsibilities of data fiduciaries, which include individuals, businesses, and governmental organizations that handle data, with regard to data processing (i.e., gathering, storing, or performing any other action on personal data). 

• The rights and obligations of data principals of the people.

• Monetary sanctions for violations of rights, responsibilities, and duties.

• The creation of the Indian Data Protection Board

The Indian Parliament passed the Digital Personal Data Protection Act, 2023, also referred to as the DPDP Act or DPDPA-2023, to establish guidelines for processing digital personal data that acknowledges people's right to privacy as well as the necessity of processing such data for legitimate purposes and related or incidental purposes. The first Act of the Indian Parliament to use the pronouns "she/her" instead of the more common "he/him" pronouns.

Highlights of the Digital Personal Data Protection Bill 2023

•    Digital personal data processing in India that involves either offline or online collection and digitization would be covered by the Bill. If such processing is done outside of India in order to supply products or services in India, it will also be covered. 

•    Personal information may only be processed for a valid reason with the agreement of the individual. Consent may not be necessary for some legitimate uses which can be as when a person voluntarily shares their data or when the State uses it for licenses, permits, benefits, and services only.

•    Data fiduciaries will be required to preserve data security, ensure data accuracy, and remove data after its intended use.

•    The central government might exclude government agencies from implementation of the Bill's provisions for specific reasons, such as public order, safety of the country, and avoiding any kind of offenses; 

•    The Bill gives individuals rights including the ability to access information, request rectification and deletion, and file a grievance; the federal government will establish the Data Protection Board of India.

Key Issues and Analysis of the Digital Personal Data Protection Bill 2023

•    The State may collect, process, and retain more data than is required if it is granted exemptions from data processing on the grounds of national security. The basic right to privacy could be infringed by this. 

•    The bill is not limited to the risks of losses that come from processing data that is personally identifiable, nor does it grant the data principal the right to data portability to be left behind.

•    With the exception of nations designated by the federal government, the Bill permits the transfer of personal data outside of India. This approach could not guarantee a sufficient assessment of data protection regulations in the nations where the transmission of personal information is permitted.

•    The members of the Data Protection Board of India are eligible for reappointment after serving a two-year term. The Board's autonomous operation may be impacted by the short term with re-appointment opportunities.

Key Features of the Digital Personal Data Protection Bill 2023

•    Applicability: The Bill covers the processing of digital personal data in India that is either (i) gathered online or (ii) gathered offline and then converted to digital form. If personal data is processed outside of India in order to provide products or services in India, it will also be covered. Any information about a person that may be used to identify them is considered personal data. Processing is defined as an operation or series of procedures carried out on digital personal data that are either fully or partially automated. It covers gathering, storing, using, and sharing.

•    Consent: Only with the individual's consent may personal data be handled for a legitimate purpose. Prior to requesting consent, notification must be given. The announcement should contain details about the private details to be collected and the purpose of processing. It can be withdrawn at any time. Consent will not be required for "legitimate uses," which include (i) a particular use for which an individual voluntarily contributes data, (ii) the government offering a benefit or service, (iii) a medical emergency, and (iv) employment. Someone younger a certain age of eighteen will require permission from their parent or legal guardian. 

•    Duties and the Rights of the Data Principal: The individual whom information is being processed, known as the data principal, is entitled to the following: (i) notification of processing; (ii) erasure and correction of personal data; (iii) appointing a successor to fulfill those privileges in the scenario of incapacity or death; and (iv) grievance redressal.

•    Data principals will be responsible for specific tasks. They are prohibited from: (i) filing a baseless or fraudulent complaint; and (ii) providing any false information or posing as someone else in certain situations. A fine of up to Rs 10,000 will be imposed for duty violations.

•    Data fiduciaries have certain obligations too which are: (i) Establishment of a reasonable security measure so as to prevent a data breach; (ii) And to also notify the Data Protection Board of India and also their impacted parties in that event of a breach; (iv) delete personal data as soon as the purpose has been fulfilled and its retention is no longer required by law (storage limitation); and (iii) make reasonable efforts to ensure the accuracy and completeness of data. Storage restrictions and the data principal's right to erasure do not apply to government organizations. 

•    Personal data transmission outside of India: The Bill permits the transfer of personal data outside of India, with the exception of nations that the federal government has designated by notification.

•    Exemptions: In some situations, the data principal's rights and the data fiduciaries' duties (apart from data security) will not be applicable. These consist of: (i) preventing and looking into offenses; and (ii) upholding legal rights or declarations. There are some activities which may be exempted from the applicability of bill by the central government by notice. These consist of (i) processing by government agencies for the sake of public order and state security, and (ii) research, archiving, or statistical analyses.

•    Data Protection Board of India: The central government of India has created this organization to keep a check on the compliance of this DPDP Act. There are certain Board's duties which are to (i) monitor compliance and enforce penalties, (ii) provide guidance to data fiduciaries about what to do in the event of a data breach, and (iii) hear grievances from affected parties. Board members are suitable for reappointment after serving two-year terms. The federal government will provide details such as the amount of board members and the selection process. Appeals against the Board's decisions will be handled by TDSAT.

•    Fines: The Bill's schedule stipulates that failure to perform children's responsibilities may result in fines of up to (i) Rs 200 crore, and failure to put safety protocols in place to stop data breaches may result in fines of up to (ii) Rs 250 crore. The Board will impose sanctions after an inquiry.

What are the effects of the Digital Personal Data Protection Act 2023?

1. This act has mandated Privacy as a Fundamental Right o Implemented in response to the 2017 ruling in Justice K.S. Puttaswamy v. Union of India.

2. Data Protection Framework has guaranteed responsibility and user protection and has also established standards for how data fiduciaries manage personal data. 

3. Informed Consent and Purpose Limitation o Makes people's consent essential to processing their data, but only for certain, legal reasons. 

4. Ease of Doing Business and Digital Governance has given digital service providers a legal certainty which might have strengthen the digital economy also. 

5. Global Compliance has facilitated cross-border digital trade by assisting in the alignment of Indian data regulations with international standards just like General Data Protection Regulation (GDPR) of the EU.

Conclusion

The DPDP Act is a significant step in improving data security and privacy in India. Additional clarification on the law's application is given by the proposed Rules, especially with regard to permission, data retention, security, breach notifications, children's data, and cross-border data transfers. The proposed Rules set the stage for stronger data protection such as how the consent managers will really be used in practice and the effects of cross-border limitations. In an increasingly digital environment, the companies need to be aware of how regulations are changing in order to maintain compliance and safeguard data principals' rights.

Author:

Rhythm Goel
Delhi, India
Trinity Institute of Professional Studies, Indraprastha University


Leave a Comment



Previous Comments


Related Blogs

Recent GST Amendment in One form GST Filing Process

Amendments in the Finance Act 2020 passed in Parliament 

 Get Started
Recent GST Amendment in One form GST Filing Process

Criminal Procedure (Identification) Bill, 2022

 Get Started
Recent GST Amendment in One form GST Filing Process

Highlights of Important Amendments in 2023

 Get Started


All Categories

Get a Callback

Recommend Links: