Insights

News Flash | Erase and Rewind: Data Protection in India | Digital Personal Data Protection Bill, 2023

Co-authored by Manav Raheja, Avadhoot Potnis, Hriday Chokshi and Samarth Srivastava

The Indian Government recently introduced the latest version of the Digital Personal Data Protection Bill, 2023 (“Bill”) in the Lok Sabha (Lower House of the Parliament). The Bill was approved by the Lok Sabha on August 7th, 2023, and as per the legislative process, the Bill will now be placed before the Rajya Sabha (Upper House of the Parliament) for approval. Thereafter, once approved by both Houses of the Parliament, on receipt of the Presidential assent, the Bill will become the data protection/privacy law of India.

The Bill once enacted into law, will regulate the personal digital data of individuals, govern lawful usage of such data and provide a mechanism to address contraventions of the law.

We have listed below 10 (ten) key aspects of the Bill, for the attention of individuals who provide their data (“Data Principal”) and entities/persons who collect and process such data (“Data Fiduciary”):

1. The Bill introduces a principle-based approach which is less prescriptive, unlike the earlier iterations.

2. Coverage: All personal data (any data about an individual who is identifiable by or in relation to such data) in digital form (including non-digital data which is subsequently digitized) is covered. No sub-categories like ‘sensitive’ and ‘critical’ data, that previously existed, have been provided in the Bill.

3. Extra territorial scope: The Bill will also apply to processing of digital personal data outside India, if such processing relates to offering goods and services to Data Principals within India.

4. Consent requirements: Data Principal must provide consent for collection and processing of personal data. Such consent needs to be specific, informed, unconditional, unambiguous and given in writing or digitally (by a clear affirmative action). Consent shall be limited to such personal data which is necessary for the specified purpose for which it is collected.

5. Notice requirements: The notice from the Data Fiduciary for procurement of consent from Data Principal should specify, inter-alia, the personal data sought to be processed and purpose for processing such data. For personal data already collected prior to the Bill, the Data Fiduciary can continue to process such personal data till the Data Principal withdraws consent (although, a post-facto notice is required to be given by the Data Fiduciary).

6. Legitimate use: In certain cases, such as for employment, safeguarding confidentiality of employer’s data, medical emergencies involving Data Principal, medical treatment during public epidemic, for safety during disasters or any breakdown of public order, to protect the sovereignty and integrity of India, compliance with law, judgment, decrees, etc., data can be processed without the consent of the Data Principal.

7. Cross-border data transfer: Data Principal’s personal data can be transferred to any jurisdiction, except those blacklisted by the Central Government through notification.

8. Significant Data Fiduciary (“SDF”): The Central Government can notify any Data Fiduciary as SDF based on, inter-alia, the volume and sensitivity of data processed by such entity. Such SDF would be subjected to higher standards of scrutiny and compliance.

9. Data Protection Board of India (“DPB”): The Central Government will notify and appoint a DPB, as the primary regulator for data protection. The DPB will, inter-alia, adjudicate on complaints regarding breach of the data protection law. An appeal against orders of DPB will lie to the Telecom Disputes Settlement and Appellate Tribunal (TDSAT) and thereafter to the Supreme Court of India.

10. Penalties: TheDPB can impose monetary penalties which range from INR 10,000 (Indian Rupees Ten Thousand) to INR 2,500,000,000 (Indian Rupees Two Billion and Five Hundred Million) depending on the nature of the breach.

Note:

1. The Central Government may notify timelines for implementation of different provisions of the Bill, which will result in a phased implementation of the Bill. The rules to be framed under the Bill will also be notified by the Central Government subsequently. 

2. Our detailed analysis on the Bill will follow once it is enacted into law.

Back To Top
Search

DISCLAIMER

The Bar Council of India does not permit soliciting work or advertising by advocates in any manner or form. By clicking on "AGREE" below, the user acknowledges and confirms that:

  1. There has been no advertisement, personal communication, solicitation, invitation or inducement of any sort whatsoever from us or any of our members to solicit any work through this website;
  2. The website is a resource solely for the purpose of providing general information about Veritas Legal at the user’s own risk, cost and liability; 
  3. The information provided in this website shall not be construed as legal advice or create any lawyer-client relationship in any manner whatsoever; 
  4. The links provided on this website shall in no way be considered referrals, endorsements or affiliations with the linked entities and Veritas Legal shall not hold responsibility for the content of such links.

The user shall not hold Veritas Legal responsible for any action taken relying upon the content of the website. In cases where the user has any legal issues and requires assistance, he/she/it must seek independent legal advice.

AGREE DISAGREE