Digital Personal Data Protection Bill, 2023 (India)

History and What It’s About

The Digital Personal Data Protection Bill, 2023 was introduced in the Lok Sabha (Indian Parliament) as Bill No. 113 of 2023. The Bill aims to regulate the processing of digital personal data while balancing the right to privacy of individuals with the necessity of processing personal data for lawful purposes. The legislation seeks to ensure accountability, transparency, and security in how personal data is collected, stored, and used in India.

Who Has a Role to Play in Compliance?

Obligation Holders:

• Data Fiduciaries: Entities that determine the purpose and means of processing personal data.
• Significant Data Fiduciaries: Entities processing large volumes of personal data or dealing with sensitive data, impacting national security or public interest.
• Data Processors: Entities that process personal data on behalf of Data Fiduciaries.
• Consent Managers: Registered entities managing user consent for data processing.

Supervisory Bodies:

• Data Protection Board of India (DPBI): Established by the Central Government, responsible for enforcing compliance and investigating breaches.
• Appellate Tribunal: Telecom Disputes Settlement and Appellate Tribunal (TDSAT) will handle appeals against DPBI decisions.

Rights Holders:

• Data Principals (Individuals): Users whose personal data is processed, including special provisions for minors and persons with disabilities.

What Are the Most Important Obligations?

• Consent-Based Data Processing: Processing of personal data must be based on free, informed, and specific consent of the individual.
• Legitimate Uses Without Consent: The Act permits certain data processing without explicit consent (e.g., for public interest, national security, legal compliance, emergencies, and employment purposes).
• Data Protection Measures: Data Fiduciaries must implement security safeguards to prevent breaches.
• Children’s Data Protection: Data Fiduciaries must obtain verifiable parental consent for processing children’s data and are prohibited from tracking, behavioral monitoring, and targeted advertising toward children.
• Rights of Data Principals:
  • Right to Access Information
  • Right to Correction and Erasure
  • Right to Grievance Redressal
  • Right to Nominate a Representative (in case of death or incapacity)
• Cross-Border Data Transfers: The Central Government may restrict the transfer of personal data to certain countries.
• Penalties for Violations: Heavy fines are imposed for non-compliance, with penalties reaching up to ₹250 crore (2.5 billion INR) for severe breaches.

What Are the Consequences of Non-Compliance?

• Fines and Penalties:
  • Failure to prevent data breaches: Up to ₹250 crore
  • Failure to notify the DPBI of a breach: Up to ₹200 crore
  • Violation of children’s data protection rules: Up to ₹200 crore
  • Violation of significant data fiduciary obligations: Up to ₹150 crore
  • General violations: Up to ₹50 crore
• Legal Actions: Affected individuals can lodge complaints with the Data Protection Board of India.
• Government Enforcement Actions: The Central Government has powers to block platforms or services in case of repeated violations.

Where Can I Find More Information?

The Digital Personal Data Protection Bill, 2023 can be accessed through the official Government of India website or publications of the Ministry of Electronics and Information Technology (MeitY).

• Official publication

#DataPrivacy #India #DigitalProtection #PersonalData #DataSecurity