What Is Digital Personal Data Protection Bill 2023? 15 Things To Know

By Prakash KL

Updated: Friday, August 4, 2023, 11:52 [IST]

Add as a preferred source on Google

The government on Thursday tabled the Digital Personal Data Protection Bill 2023 in the Lok Sabha with an aim to protect the privacy of Indian citizens while proposing a penalty of up to Rs 250 crore on entities for misusing or failing to protect digital data of individuals.

The bill which comes after six years of the Supreme Court declaring "Right to Privacy" as fundamental right has provisions to curb misuse of individuals' data by online platforms.

What is the bill all about?

• It is a legislation that intends to regulate the processing of digital personal data while respecting individuals' right to protect their data and the legitimate purposes for data processing. However, it aims to exempt the central government and specified entities in certain cases concerning India's sovereignty, security, foreign relations, public order, court orders, research, etc.
• The bill aims to impose stricter regulations on entities, particularly online platforms like mobile apps and social media companies such as Facebook, Twitter, and Telegram. These regulations pertain to the collection and processing of users' personal data, whether it occurs within the country or overseas.

• The bill moots the creation of Data Protection Board of India to handle grievances of individuals around personal data privacy if data fiduciaries or firms using personal data fail to address individuals' complaints.
• The bill proposes protection for the Centre, the board and its members, on "action taken in good faith".However, any person aggrieved by an order or direction made by the board under the Digital Personal Data Protection Act, 2023 can appeal before telecom tribunal TDSAT and thereafter before the apex court.
• Provisions under the bill enable the Centre to block access to content in the interest of the general public on getting reference in writing from the board.

• The bill proposes exemption for the Centre or entities authorised by it in special cases from key compliances like giving notice to data principal (a person to whom data belongs) and sharing personal data with other entities without need to inform data principal, provide information about summary of personal data processing.
• The bill neither has a provision that differentiates between sensitive and non-sensitive personal data nor does it restrict the processing of data overseas unless any restricted geography is notified under the proposed norms. "The bill will not overwrite any sectoral laws, especially around data processing," a government source told PTI.
• The large online platforms will be required to appoint a data protection officer who will act as point of contact for grievance and redressal mechanisms of their users. Large online entities will also need to appoint independent data auditors to carry out data audit, evaluate the compliance of the firms in accordance with the provisions of DPDP Bill 2023.
• The bill proposes to exempt centres from appointing both data protection officer and data auditors in special cases.
• The provisions under the bill enables the Centre to block access to content in the interest of the general public on getting reference in writing from the board. The bill has included a mechanism to process data of children defined as individuals below the age of 18 years.

• In the case of children, entities will need to take the consent of the guardian. Under the proposed norms, the Centre may notify the age above which the data fiduciary will be able to process data if it is done in a verifiably safe manner.
• Under the proposed bill, a maximum of Rs 250 crore and a minimum Rs 50 crore can be imposed on every instance an entity is found violating the norms proposed under the bill.
• Personal data can be processed only for a lawful purpose for which an individual has given consent and for certain legitimate uses.
• Consent of the individual needs to be a clear affirmative action, agreeing to the processing of personal data only for the specified purpose. This means that even if consent is for other purposes, say giving access to contact list while downloading a telemedicine app, the consent will be seen limited only actual and real purpose of data being collected.

Concerns

One of the major concerns raised by rights groups is the extensive exemptions granted to the government and its agencies. These exemptions could potentially weaken the law's effectiveness. Furthermore, there are worries about the dilution of the data protection board's powers and the proposed amendments to the Right to Information Act, which critics argue will have negative implications for people's rights.

Additionally, concerns have been raised about potential uncertainties in cross-border data flows and the negative impact on people's rights. The group warned that the bill's provisions could lead to mass surveillance and serious privacy violations.

Some say that the legislation fails to adequately address data protection concerns and instead seems to facilitate data processing activities of both state and private actors. The organization raised particular concerns about the broadening of exemptions for government instrumentalities, which could potentially enable increased state surveillance.