In a world where our personal data is constantly being collected and used by various entities, the Digital Personal Data Protection Bill, 2023 (DPDP Bill) aims to offer a much-needed solution. The DPDP Bill’s objective is to protect individuals' personal data from unauthorized access, use, and disclosure.
The bill has been passed in the Lok Sabha and now has to be cleared in the Rajya Sabha as well. Once enacted, this will become the first Indian law that will govern how personal data will be collected, used and processed by various entities.
What is the Data Protection Bill?
At its core, the Digital Personal Data Protection Bill, 2023 seeks to establish a balance between citizens' data rights and businesses' responsibilities in handling personal information. This legislation is a response to the growing concerns over unauthorized intrusion into personal data, data breaches, and misuse of information.
Manish Sehgal, Partner, Deloitte India, says that 'Given the bill’s extra-territorial coverage, enterprises based outside India serving individuals in India will also be expected to adhere to the provisions of this bill once enacted. Enterprises will have to review the current ways of working especially for the personal data of individuals such as their employees, customers, merchants, vendors, etc to be able to honor the rights that individuals may exercise, such as the right to access, update, erase their data, etc. Non-adherence of obligation listed in the bill may attract sanctions and commercial penalty as high as ₹250 crore.'
Commenting upon the technological aspect of the bill Advocate Jitender Ahlawat Founder and Managing Partner, HJA and Associates said 'Striking a balance between safeguarding personal information and encouraging new technologies is of utmost importance. This bill showcases India's intent to securely manage data, but the task remains to collaboratively work with the industry to respect individuals' privacy while fostering technological advancements.
Sanjay Kaushik, Managing director of Netrika Consulting said the bill's emphasis on user consent and data localization aligns with global trends towards greater data independency. However, ensuring a balance between privacy protections and enabling legitimate uses of data for marketing and other purposes remains a challenge.
Penalties upon violation
Penalties range between ₹50 cr - ₹250 cr
Non-fulfilment of obligation related to children: ₹200 cr
Failure to take security measures to prevent data breaches: ₹250 cr
Key Principles and Provisions
Six fundamental principles form the bill's framework to ensure responsible data handling practices:
Lawful Collection and Usage: The bill mandates that personal data must be collected through legal means and processed only for legitimate purposes.
Transparency and Security: Organizations must transparently communicate their data collection and processing procedures, ensuring individuals understand how their data will be used.
Legitimate Purpose: Data collection must have a lawful purpose, limiting its scope to specific, defined objectives.
Data Minimization: Collecting only the necessary amount of data reduces the risk of misuse and breaches.
Data Protection and Accountability: Organizations must protect collected data from breaches and unauthorized access.
Data Accuracy: Ensuring the accuracy and correctness of the collected information is paramount.
Why is such a bill needed?
A data protection bill is necessary because personal data, which pertains to identifiable people, is used by various entities for various purposes. This includes understanding people's preferences for customization, targeted advertising, and recommendations, as well as aiding law enforcement. However, unchecked use of personal data can infringe on individuals' privacy rights.
India currently lacks a dedicated law for data protection; personal data usage is governed by the Information Technology (IT) Act of 2000. The new bill addresses the processing of digital personal data, aiming to balance individuals' data protection rights with the legitimate need to use such data for legal purposes
Government's take
Rajeev Chandrasekhar, the Minister of State for Electronics and Information Technology, has expressed the government's perspective on the Digital Personal Data Protection Bill. He said that, “The bill, upon passage in Parliament, will safeguard the rights of every citizen, foster the growth of the innovation economy, and enable lawful government access for national security and emergencies such as pandemics and earthquakes”. He described the bill as a global benchmark that is contemporary, future-ready, and yet easily comprehensible.
Opposition's View
Criticizing the bill, Congress MP Manish Tewari said that there was a distinction in the way the Bill applied to different entities. “It applies with full force to non-government entities, and the entire government is going to be exempt from it,”
Raising concerns over Right to Information Act, Congress MP Adhir Ranjan Chowdhury said that the Bill was a “sinister move” to “trample” the Right to Information Act, 2005.
Concerns surrounding the bill
There are concerns surrounding the Digital Personal Data Protection Bill, which talk about the potential adverse impact on press freedom and journalistic activities. Specifically, the Editors Guild of India (EGI) has expressed apprehensions about certain provisions of the bill that could have implications for the media industry and the right to freedom of expression. Editors Guild of India raised concerns, saying it “creates an enabling framework for surveillance of citizens, including of journalists and their sources”.
Digital Data Protection Bill broadens exceptions to the Right to Information (RTI) Act, potentially limiting access to information, Anjali Bhardwaj, an RTI activist said 'The Digital Data Protection Bill is a direct attack on people's freedom to speech and expression'
'According to the bill, anyone who collects, uses or processes personal data will be now called a data fiduciary. So, small campaigns, NGOs, political parties, RWAs, and everyone who collects personal data will be called data fiduciaries and there are a whole host of obligations that they will have to meet. And here the catch is that the government will decide who will be exempt from being called a data fiduciary. So, the central government could potentially misuse this provision and exempt its own departments from under the law, big companies that favour the ruling party could be left out of the ambit of the law,' Bhardwaj added.
