In a historic move, the Digital Personal Data Protection Bill (DPDPB) received presidential assent on August 11, 2023, following its unanimous passage through both houses of the Indian parliament last week. The enactment of this crucial legislation marks a significant leap forward in safeguarding the personal information of Indian citizens in the digital age.

Key Features of the bill:

Applicability: If virtual private data is processed in India and is either (i) collected online or (ii) accrued offline and converted to virtual shape, the Bill is relevant. If processing is performed to supply goods or services in India, processing achieved out of the doors of India is likewise protected. All information about a person that can be identified from that information or related to it is called personal information. The term “processing” refers to any fully or partially automated action taken on digitally stored personal data. This covers gathering, storing, using, and sharing.
Consent: Personal data may be used only with the individual’s consent and for a legal purpose. Consent must be informed before being requested. Information about the collected personal data and the purpose of the processing must be included in the notification. The option to withdraw consent is always available. Consent is not required for “enforced use,” which includes (i) a specific purpose for which the individual voluntarily provided information, (ii) a government-provided benefit or service, (iii) emergency care, and (iv) employment. The consent of a parent or legal guardian must be given on behalf of a minor under the age of 18.
Rights and duties of data principle: A person whose data is being processed (referred to as the “data principal”) is entitled to the following rights: (i) information about processing; (ii) deletion of personal data; (iii) designating a substitute for themselves to exercise rights in the case of death or incapacity; and (iv) grievance redressal. Certain obligations will fall on data principals. They must not: (i) make fictitious or baseless complaints; (ii) provide false information; or (iii) impersonate another person under certain circumstances. A fine of up to 10,000 rubles is imposed for a breach of official duty.
Obligations of data fiduciaries: The organization deciding the purpose and method of processing, or “data fiduciary,” is required to: (i) take reasonable steps to ensure the accuracy and completeness of the data; (ii) implement reasonable security measures to prevent data breaches; (iii) report the data breach to the Data Protection Board of India and other relevant parties; and (iv) delete personal data as soon as the purpose is fulfilled, and storage is no longer necessary for legal purposes (retention limitation). State organizations are exempt from storage restrictions and the data controller’s right to delete them.
Transfer of personal data outside India: Except for nations that have been limited by notification from the central government, the Bill permits the transfer of personal data outside of India.
Exemptions: In certain circumstances, the rights of the controller and the obligations of the data controllers do not apply (except for data security). These include (i) the prevention and investigation of crime and (ii) the protection of legal rights or claims. The state can exempt certain functions by announcing the implementation of the bill. These consist of (i) processing by government agencies for the sake of state security and public order, and (ii) gathering information for research, archiving, or statistical purposes.
Data Protection Board of India: The Data Protection Board of India will be established by the national government. The main tasks of the board are (i) to impose sanctions in case of non-compliance, (ii) to require appropriate measures from data security employees in case of data security violations, and (iii) to hear complaints presented by the stakeholders. Board members are appointed for two years and may be reappointed. The board determines the number of board members and the election procedure. TDSAT deals with appeals against decisions of the board.
Penalties: Penalties for numerous offenses are outlined in the schedule to the Bill, including up to (i) Rs 200 crore for failing to fulfill commitments to minors and (ii) Rs 250 crore for not taking security measures to prevent data breaches. The Board will issue penalties following an investigation.

Highlights of the bill:

The Bill will observe the management of digital private information processed in India, whether or not the records are obtained online or offline and then transformed into digital shape. If the processing takes area in India for the supply of services or products, this additionally applies to processing outdoors in India.
Only with the person’s consent and for valid purposes may private information be handled. Consent isn’t strictly necessary for certain criminal purposes, which include government processing of permits, licenses, benefits, and provider packages, or the voluntary change of a person’s facts.
Data fiduciaries could be required to keep records correct, secure, and deleted after their purpose has been served.
The Bill offers people numerous rights, which include the capability to request facts, try to find corrections and erasure, and record a grievance.
For specific reasons, together with state protection, public order, and the prevention of crimes, the central authorities might also exclude government organizations from the Bill’s regulations.
The Data Protection Board of India might be mounted by using the national government to make decisions regarding any violations of the Bill’s requirements.

Key Issue and Analysis:

The collection, processing, and storage of data may go beyond what is necessary if the country gets exceptions from information processing for reasons of national security, for instance. This can undermine the basic right to privacy.
The regulation does not regulate the risks of harm associated with the processing of personal data.
The right to data portability and the right to be forgotten are not granted by the law to the data controller.
The Bill allows the transfer of personal data outside India, but only to authorized countries. This mechanism may not provide an adequate assessment of the level of data protection in countries where the transfer of personal data is allowed.
The members of the Data Protection Board of India shall serve for two years and may be reappointed. The Board’s independence can be hampered by the short duration and potential for reappointment.

Conclusion:

When the new Data Protection Board of India is established, and additional rules for the specification of the law are created and formally declared, many details of the Act will still need to be explained.

-Pragati Sengar