Digital Personal Data Protection Bill, 2023: Explained, pointwise

Introduction

Recently, the Digital Personal Data Protection Bill, 2023, was introduced in Parliament. The Bill was tabled after nearly five years of negotiations involving the government, technology companies and civil society representatives. It lays out procedures on how corporations and the government itself can collect and use information and personal data of India’s citizens.  

What was the need for the Digital Personal Data Protection Bill, 2023? 

Personal data is information that relates to an identified or identifiable individual.  Businesses as well as government entities process personal data for delivery of goods and services.   

Processing personal data allows understanding preferences of individuals, which may be useful for customisation, targeted advertising, and developing recommendations.  Processing personal data may also aid law enforcement.   

Unchecked processing may have adverse implications for the privacy of individuals, which has been recognised as a fundamental right. It may subject individuals to harm such as financial loss, loss of reputation, and profiling. 

As technologies like Artificial Intelligence advance and permeate various aspects of daily lives, the potential for extensive data collection, analysis, and manipulation grows exponentially.  

Without effective data protection measures, individuals’ personal information is at risk of being exploited, leading to privacy breaches, identity theft, and other malicious activities. 

Currently, India does not have a standalone law on data protection.  Use of personal data is regulated under the Information Technology (IT) Act, 2000.  

In the Puttaswamy judgement of 2017, the Supreme Court upheld the right to privacy, In the same year, the government constituted the Justice B. N. Srikrishna committee on Data Protection to examine issues relating to data protection in the country. The Committee submitted its report in 2018.  

Based on the recommendations of the Committee, the Personal Data Protection Bill, 2019 was introduced in Lok Sabha. The Bill was referred to a Joint Parliamentary Committee which submitted its report in December 2021. 

In August 2022, the Bill was withdrawn from Parliament. In November 2022, a Draft Bill was released for public consultation. In August 2023, the Digital Personal Data Protection Bill, 2023 was introduced in Parliament. 

What are the key features of the Digital Personal Data Protection Bill, 2023? 

Applicability:  The Bill applies to the processing of digital personal data within India where such data is: (i) collected online, or (ii) collected offline and is digitised.  It will also apply to the processing of personal data outside India if it is for offering goods or services in India.   

Consent: Personal data may be processed only for a lawful purpose after obtaining the consent of the individual.  Notice must be given before seeking consent.  Consent may be withdrawn at any point in time. Consent will not be required for ‘legitimate uses’ defined in the Bill. For individuals under 18 years of age, consent will be provided by the parent or the legal guardian. 

Rights of data principal:  An individual whose data is being processed (data principal), will have the right to: (i) obtain information about processing, (ii) seek correction and erasure of personal data, (iii) nominate another person to exercise rights in the event of death or incapacity, and (iv) grievance redressal.   

Duties of data principal: Data principals will have certain duties.  They must not: (i) register a false or frivolous complaint, and (ii) furnish any false particulars or impersonate another person in specified cases.  Violation of duties will be punishable with a penalty of up to Rs 10,000. 

Obligations of data fiduciaries:  The entity determining the purpose and means of processing, (data fiduciary), must: (i) make reasonable efforts to ensure the accuracy and completeness of data, (ii) build reasonable security safeguards to prevent a data breach, (iii) inform the Data Protection Board of India and affected persons in the event of a breach, and (iv) erase personal data as soon as the purpose has been met and retention is not necessary for legal purposes (storage limitation).  In the case of government entities, storage limitation and the right of the data principal to erasure will not apply. 

Transfer of personal data outside India:  The Bill allows transfer of personal data outside India, except to countries restricted by the central government through notification.   

Exemptions: Rights of the data principal and obligations of data fiduciaries (except data security) will not apply in specified cases. The central government may, by notification, exempt certain activities from the application of the Bill.  These include: (i) processing by government entities in the interest of the security of the state and public order, and (ii) research, archiving, or statistical purposes. 

Data Protection Board of India: The central government will establish the Data Protection Board of India.  Key functions of the Board include: (i) monitoring compliance and imposing penalties, (ii) directing data fiduciaries to take necessary measures in the event of a data breach, and (iii) hearing grievances made by affected persons.  Board members will be appointed for two years and will be eligible for re-appointment. Appeals against the decisions of the Board will lie with TDSAT (Telecom Disputes Settlement and Appellate Tribunal). 

Penalties: The schedule to the Bill specifies penalties for various offences such as up to: (i) Rs 200 crore for non-fulfilment of obligations for children, and (ii) Rs 250 crore for failure to take security measures to prevent data breaches.  Penalties will be imposed by the Board after conducting an inquiry.   

What are the concerns related to the Digital Personal Data Protection Bill, 2023? 

Exemptions: The Supreme Court in Puttaswamy judgement has held that any infringement of the right to privacy should be proportionate to the need for such interference.  Exemptions for the State may lead to data collection, processing, and retention beyond what is necessary.  This may not be proportionate and may violate the fundamental right to privacy. 

Risk of surveillance: The Bill empowers the central government to exempt processing by government agencies from any or all provisions, in the interest of the security of the state and maintenance of public order. The Bill does not require government agencies to delete personal data, after the purpose for processing has been met.  Using the above exemptions, on the ground of national security, a government agency may collect data about citizens to create a 360-degree profile for surveillance.  

Regulating harm arising from processing of personal data: The Bill does not regulate risks of harms arising out of processing of personal data.  The Srikrishna Committee has observed that harm is a possible consequence of personal data processing.  Harm may include material losses such as financial loss and loss of access to benefits or services. It may also include identity theft, loss of reputation, discrimination, and unreasonable surveillance and profiling. 

Right to data portability and the right to be forgotten not provided: The Bill does not provide for the right to data portability and the right to be forgotten. The 2018 Draft Bill and the 2019 Bill introduced in Parliament provided for these rights. The Joint Parliamentary Committee, examining the 2019 Bill, recommended retaining these rights. The Srikrishna Committee observed that a strong set of rights of data principals is an essential component of a data protection law. These rights are based on principles of autonomy, transparency, and accountability to give individuals control over their data. 

Cross-border transfer of data: The Bill provides that the central government may restrict the transfer of personal data to certain countries through a notification.  This implies the transfer of personal data to all other countries without any explicit restrictions. This mechanism may not provide adequate protection. In the absence of robust data protection laws in another country, data stored outside India may be more vulnerable to breaches or unauthorised sharing with foreign governments as well as private entities.   

Independence of the Data Protection Board: A short term appointment (2 years) with the scope for re-appointment may affect the independent functioning of the Board. In the case of Tribunals, the Supreme Court (2019) had observed that short-term along with the provisions of re-appointment increases influence and control of the Executive. 

Provisions for children: Under the Bill, a child has been defined as a person under 18 years of age. In other jurisdictions like the USA, UK and European Union, the age varies from 13 to 16 years. The Bill requires all data fiduciaries to obtain verifiable consent from the legal guardian before processing the personal data of a child. A sizable number of children will need to seek parental consent for services they can easily access right now. There are questions about how data processing entities will verify the age of children and obtain parental consent. If every data fiduciary will have to verify the age of everyone signing up for its services, anonymity in the digital sphere may be reduced. 

What are the positive aspects of the Digital Personal Data Protection Bill, 2023? 

Understandable and accessible: The Bill is written in concise, straightforward and uncomplicated manner with minimum use of legal jargon and liberal use of illustrations. This makes it more understandable and accessible to the public. 

Principles-based approach: Due to the pace of innovation and disruption in the tech sector, the Bill focusses on principles and outcomes rather than modes and processes. This will enhance the longevity of the bill and also give businesses flexibility in achieving compliance. 

Light-touch approach: Businesses will benefit from the light-touch and facilitative approach of the Bill towards personal data protection. This signifies the trust reposed by the government in the private sector to act as responsible custodians of the personal data of their customers.  

Impetus for startup ecosystem: The rationalized and minimally intrusive data protection regime will attract global tech investments. The Bill will be a boon for startups as they are to be exempted from certain obligations, upon notification. This will provide further impetus to the startup ecosystem and boost its global competitiveness. 

What is the data protection laws in other countries? 

According to UNCTAD, 71 percent of countries had put in place legislation to secure the protection of data and privacy. Africa and Asia show different levels of adoption with 61 and 57 per cent of countries having adopted such legislation.  

Read more: What are the data protection laws in other countries? 

How India’s proposed law is different from other jurisdictions? 

Publicly available data exempt: The Bill does not protect data that is made publicly available by an individual or anyone else. Data protection norms around the world extend obligations to publicly available data too. 

Consent managers are licensed: Consent managers will help individuals give and manage their consent, across different businesses. This is perhaps the first instance of a privacy law recognising and regulating such entities. 

Cross-border data flows made flexible: The Bill allows data transfers outside India or offshore data processing. But in a departure from global regimes, the Bill does not set out any conditions for transferring data. 

Children’s data: Many global laws treat children under 13, and those between 13 and 17 differently, based on risks and harms. Under the Bill, all children under 18 are treated alike. 

Conclusion 

An all-encompassing digital governance framework goes beyond just having a strong data protection law. It necessitates addressing various interrelated aspects like cybersecurity, competition, artificial intelligence, and more. The European Union’s strategy, which includes supplementary measures like the Data Act, Digital Services Act, Digital Markets Act, and the AI Act, offers valuable lessons in achieving comprehensive regulation in this regard. 

Sources: Times of India, Indian Express, Livemint, PRS