The Digital Personal Data Protection Bill, 2023, was approved by Lok Sabha on 7th August 2023 and passed by Rajya Sabha on 9th August 2023. The bill was passed considering the misuse of digital personal data of people in Manipur violence. The new Digital Personal Data Protection Bill seeks to allow for the processing of digital personal data in a way that recognizes both people’s right to personal data protection and the necessity to use such personal data for authorized reasons. The bill represents India’s position in securing and safeguarding the personal data of people collected via digital and non-digital forms. Personal data protection is crucial to ensure a pleasant journey towards a digital economy, along with fostering trust and confidence with the people of India. In this blog, we will go through some important highlights of the bill and their explanations.
Applicable only to Digital Personal Data
The bill is only applicable to data within India that is collected either in the digital form or collected in physical form but transferred to the digital form. Besides that, the rules of the bill are also applicable outside India if data processing involves offering products and services to people inside India. Personal data is the information that relates to a specific person that defies his identity, like basic identifiers, biographical information, physical and health information, financial information, location, professional details, biometrics, etc. Data protection is protecting that personal data to ensure the privacy, safety, and integrity of individuals.
However, the bill does not apply in some instances, including
• the personal information that is processed for personal or domestic purposes
• the personal data which is exposed by the people themselves or any other person with a legal purpose.
Grounds for Processing Digital Personal Data
The Digital personal data protection bill can only be processed for lawful purposes, that too, with the consent of the desired person. The lawful purpose should not be prohibited by any law or violate any law passed by the government. There is no subcategory of personal data as sensitive personal data that an individual can deny sharing. DPDP bill does not differentiate between any kind of personal data and is applicable to all the forms. However, for certain legal purposes, such as the process of applications for permits, licenses, benefits, and services, or the voluntary exchange of data by an individual, consent may not be required. Only the necessary personal data should be collected that is genuinely required for some lawful purpose. These lawful purposes act as a savior to protect organizations from legal issues and financial penalties. When the data is used for legal purposes, it attracts people to trust the procedures and stay confident about the privacy of their personal data.
Notice
Section 6 of the bill highlights the importance of the right to know what personal data the concerned person or data fiduciary is collecting and for what reasons.
Notice – A notice has to be provided to the data principal explaining the personal data required for processing and the purpose of it. The notice mainly has three requirements: it should be written in clear words, in a simple language, and the languages should be mentioned in the 8th schedule of the Indian Constitution.
Legitimate Uses – There are certain cases in which the consent of the data principal is not required are termed as legitimate uses. This simply means when a Data principal shares his personal data with the Data fiduciary but does not provide the consent to use it, it automatically gets the right to be used for such a specific purpose. A Data Fiduciary can carry out the proceedings with the personal data without taking consent for purposes like medical emergency, employment, compliance with any other issued by the law, etc. These purposes are considered as legitimate uses.
Data of Children and People with Disability
According to the Indian law, “a child is a person below 18 years of age”. It’s not acceptable to take their consent for processing their personal data. Therefore, data fiduciaries have to take the consent of their parents or lawful guardians who are related to the child. The same rule applies in the case of a person with some disability. However, the central government has restricted data fiduciaries from taking any information about the child that can cause any harm to the child. Moreover, they are also prohibited from tracking or behavioral monitoring of children or trying children-targeted advertising that can have a negative impact on the child.
Cross-Border Transfer of Personal Data
For certain important purposes, personal data can be transferred to a different country or territory by a data fiduciary. The data transfer can only be initiated to the nations that are accepted by the central government in accordance with their terms and conditions. There are some countries that are blacklisted by the Indian government, and the transfer of any personal data to such countries is strictly prohibited due to security concerns. The government adds the names of the countries on the basis of political considerations and geopolitical issues to both the lists. The transfer is generally allowed in countries with a great security system for data protection and where the risk of a breach is minimal.
Exemptions
The new digital personal data protection bill 2023 provides certain exemptions for data principal rights and data fiduciary obligations. The exemptions are:
• Prevention and investigation of the breaches and offenses by Data fiduciary
• Exemptions for BPOs
• Enforcing legal rights and claims
• To enforce judicial and regulatory functions
• Exemptions for mergers, demergers, and debt recovery
• To find defaulters and gather information about their assets
• To process the information of Nonresident Indians under any foreign contact or transfer
Rights of Data Principals
Right to access information about personal data
The concerned person has the right to ask the data fiduciary about whether their data is in processing stage or is already processed for the desired purpose or not. They are also allowed to get a summary of the processed data and the processing activities undertaken. The data fiduciary has to send the information in a clear and summarized manner. They can ask for the identities of data fiduciaries with whom their personal data is being shared for legitimate use.
Right to Correction and Erasure of Personal Data
Data principals can correct inaccurate data, complete or update the personal data, and erasure of their personal data if the purpose is fulfilled. The data fiduciary is obliged to correct, update or modify the personal data based on the data principal’s suggestion. They have to erase the data after their usage if the retention is not required for any other purpose.
Right of Grievance Redressal
Data principals have the right to apply for a grievance redressal with the data fiduciary to stop the processing of their personal data if it is prohibited to be processed due to withdrawal of consent or is no longer required for the purpose concerned. The data fiduciary is obliged to respond to the person’s grievance within the specified time mentioned. He has to give a specific reason in written form if he fails to respond in the time specified by the authority.
Right to Nominate
The data principal has the right to nominate any person, generally a legal heir, as their nominee who could exercise the rights of the data principal in case of his death or incapacity.
Advantages of DPDP bill 2023
Obligations of the Data Fiduciary
Data Fiduciary is the term used for an individual, a company, or a government entity that collects, stores, and processes the personal data of individuals with their consent for important purposes. The 2023 bill imposes several obligations on Data fiduciaries, which includes
• Using personal data only for the legitimate uses for which it is collected
• Ensure that the data is legitimate, accurate, and complete to avoid any mistake or error in the processing
• Delete the personal data of the person if he withdraws the consent or the purpose of data is fulfilled and there is no further requirement of retention
• Ensure the safety and security of sensitive personal data to prevent data breaches and misuse
• Informing the Data Protection Board and the data principal in case of breach or security issues in the manner prescribed
• Implement suitable organizational and technical measures
• Appointment of a Data protection officer (DPO) and an independent auditor who can accurately and sincerely answer on behalf of the Data fiduciary and carry out specific additional functions.
Proper Consent from Data Principal
Affirmative Consent – This means that the consent should be free, specific, unconditional, informed, and unambiguous. The consent should also be provided by an explicit affirmative action which should be interpreted as consent to the use of the person’s personal data for the purpose stated.
Withdrawal of Consent – The person has the right to withdraw his consent at any point easily, but it will not affect the legality of proceedings of personal data based on consent prior to its withdrawal.
Penalty
The bill ensures the safety and genuine use of the citizen’s personal data by imposing penalties for any misuse. The DPB imposes a penalty of 250 crores in case of any misuse of data or failure to protect it from breaches and hackers. Besides that, it imposed a penalty of INR 200 crore for failing to fulfill the obligations for taking and processing children’s personal data. Both types of penalties are imposed after proper inquiry and investigation by the board.
Maximum Data Security
Another major advantage of DPDPB 2023 is top-level data security. For the first time in history, a DDPB bill will ensure Z plus security, which will be kept behind 14-foot-high walls guarded by (King) Cobra commando units. This top-level security ensures that your personal data is 100% safe and secure from theft, misuse, breach, or exposure at any cost. Besides data security, the board also ensures data privacy to foster trust and confidence in the people.
Disadvantages of DPDP Bill 2023
• Some of its provisions dilute the landmark Right to Information (RTI) law
• The board has granted certain exemptions to state entities
• There are no substantial protections against “over-broad surveillance” under the statute.
• There is a lack of clarity and specificity in the bill that can lead to confusion, misinterpretation, and difficulty in implementation and understanding.
• Prioritizing data processing as their main target instead of Data protection which contradicts the initial statement of safeguarding the privacy and fundamental rights of people
• No consent is required for legitimate uses which challenge the balance in the bill
• No information about third parties that check your data or the cross-country data transfer information.
• Lack of compensation to the people whose privacy has been violated or if they suffer a loss due to that.
How DPDP Bill 2023 is Different from its previous versions?
Restriction to make data Publicly Available – The Digital Personal Data protection bill 2023 excludes the right to make any data publicly available by the data principal, data fiduciary, or any person related to the law.
Weak Notice Requirements – In the earlier versions of the DPDP bill, the data fiduciary had to send information about the third parties to the data principal, which was replaced in the 2023 bill. Now there is no need to tell the information about third parties with whom your data is shared or even the outside countries where data is shared.
Vague non-consensual processing of data permitted – In the earlier versions of the bill, the data fiduciary has to take deemed consent from the data principal when data processing becomes essential for some usage. However, this clause is replaced by a legitimate use clause as per DPDP bill 2023. Now, a data fiduciary is not bound to take the consent of the data principal when data is needed for some legitimate uses like employment, medical emergency, etc.
Data transfer to other countries – In the older version, the government had created an allowlist of countries where the Personal data of Indian citizens can be shared for some important purposes. However, in the 2023 bill, this allowlist is replaced with a blacklist of countries where data cannot be transferred in any case. This blacklist is created after a deep evaluation of the country’s security system, political relations, physical boundaries, etc.
Exemptions for Private Sectors – The DPDPB, 2022 empowered the Union Government to exclude specific data fiduciaries or their categories from specific provisions. The DPDPB, 2023 retains this law while specifically including startups as data fiduciaries eligible for Union Government exemption.
Diminishment of the Right to Information Act, 2005 – Through certain changes, the DPDPB, 2023 eliminates the provision under the Right to Information Act, 2005, for disclosing personal information, even in circumstances of public interest.
Comparison with EU and American Laws
The European Union’s General Data Protection Regulation (GDPR) and American Data Privacy and Protection Act (ADPPA) are the two most significant Data privacy laws that have set benchmarks for other countries to protect their citizens’ personal data. If we compare these two with the DPDP bill of India, we can find out some points that differ:-
Data Categorization
DPDPB does not categorize personal data under any subcategory.
In GDPR, personal data is categorized under a subcategory of special categories, including ethnic origin, political opinions, etc.
In ADPPA, personal data is categorized under sensitive personal data, which includes government identities like information related to finance, race, etc.
Consent from Children
In the DPDP bill, proper consent from the parent or guardian of the child below the age of 18 is required.
In GDPR, parental consent is required for a child below the age of 16 years. The member states of the EU can even lower this age under special cases.
In ADPPA, no parental consent is required for children under 17 years of age, but consent is required for the transfer of their personal data.
Consent Requirements
In the DPDP bill, free, specific, and unambiguous consent is required from the data principal to process their data.
In GDPR, special categories of personal data require the explicit consent of the data principal.
In ADPPA, the collection and transfer of sensitive personal data requires express consent from the data principal.
Cross Border Data Transfer
In the DPDP bill, cross-country transfer is open to countries except for the ones added to the blacklist of countries created by the government.
In GDPR, cross-country data transfer is allowed to all the countries that ensure an adequate level of security of their personal data.
In ADPPA, the laws do not properly express or prohibit cross-country transfer.
Data Breach
In DPDP, data fiduciaries have to inform the data protection board and the data principals whose data is breached.
In GDPR, data controllers have to inform the data principal and the supervisory authority about the data reach.
In ADPPA, there is no separate requirement, but the state’s law will handle the proceedings regarding that.
Penalties
In DPDP, a penalty of Rs 500,00,00,000 can be imposed on the data protection board for noncompliance.
In GDPR, a penalty of 20,000,000 Euros can be imposed, and the data principal has the right to ask for compensation in case of infringement.
In ADPPA, there is no fixed penalty, but a data principal can ask for compensation for his data loss.
Conclusion
This new Digital Personal Data Protection Bill, 2023, is focused on protecting the digital information of Indians with the government or digitalized personal data. The bill ensures the safety of the personal data of data principals, children, people with disability, and in the case of death of the person. The board mentioned the obligations that a data principal has to fulfill in order to secure the personal data of people and build trust and confidence. The DPB imposes a penalty in case of data breach and ensures to carry out proper inquiry and investigation to solve the problems that arise.
