All you need to know about the new Digital Personal Data Protection Bill 2023

The new Digital Personal Data Protection (DPDP) Bill was tabled on Thursday in the Lok Sabha amidst heavy opposition. With this the government plans to substantially amend how citizens’ personal data is handled by entities that collect this data. Personal data is any data that could identify a person like phone number, email id or location.

Two major changes have been made:

1. The citizens whose personal data has been leaked will not able to seek compensation from the entity that failed to protect their data unlike in the new GDPR Law the in the UK. However these entities shall be liable to substantial penalties and according to experts, penalties serve a bigger deterrent than compensation.

2. The Government has empowered its officials to take down content if the content is against public policy or it threatens national security in any way, among other things. Critics say this addition is highly problematic if not unconstitutional.

Rajeev Chandashekhar, Minister of State for Electronics and Information Technology took to X (formerly Twitter) to say “DPDP Bill is a global standard, contemporary, future ready and yet simple to understand.” He added that this new bill will protect the rights of all citizens, allow innovation in the economy and permit Government’s lawful and legitimate access in national security and emergencies like the pandemic.

We break down the complete Digital Person’s Data Protection Bill 2023, in this series.

This new Bill chalks the rights and duties of the ‘Digital Nagrik’ and the obligations of the entities collecting data - the fiduciaries.

As per reports the bill has been made keeping in mind the six principles of a safe data ecosystem, outlined below:

1. Lawful and Safe collection of Data: This includes transparency to the citizen and responsibility of protection, transfer and storage of data on the fiduciary. There is also a provision of deemed consent of the citizen im certain instances, explained in detail below.

2. Lawful and True purpose of collection of Data: The fiduciary is bound to disclose the true reason and purpose of collecting a personal data. This purpose should be legal and the data should not be stored after the purpose is achieved, barring one exception, explained im detail below.

3. Data Minimization: This means that only essential and relevant data should be collected for the pre-defined purpose as defined above.

4. Accountability of the Fiduciary: The bill makes the Fiduciary accountable to protect the data of citizens, failing which high penalties of at least Rs. 200 Crore may be levied.

5. Accuracy of Data: This shifts the data obligation on the citizen. This also makes the fiduciary liable to seek consent that the specific, informed and unambiguous.

6. Data Breach: The Bill makes it compulsory for the difuciary to report a breach compulsorily. All in a fair, transparent and equitable manner to the Data Protection Boards. Failing which high penalties may be levied.

Some other key points:

1. The Bill is not applicable to non-personal data or data in non-digital formats. It is also not applicable to non-automated processing, data processing or domestic or personal purposes and personal data that has been contained in records for at least 100 years.

2. The BIll is applicable to both data being processed in India or if the Data Principle offers goods and services in India.

3. A Data Protection Board shall be set-up to gauge Data Breaches among other things. This Board promises to be ‘digital in design’ and shall also be open to voluntary inputs by citizens.

4. There are three categories of penalties envisaged upon fiduciaries, this includes

   1. Rs. 200 Crore if the fiduciary fails to report a data breach to the above board as well as the affected citizens.

   2. Rs. 250 Crore if the fiduciary failed to implement reasonable data safeguards causing a breach.

   3. Rs. 500 Crore if the fiduciary is found to be non-compliant with the provisions of this bill, in an enquiry conducted by the Board.

5. The Bill permits a fiduciaries to retain personal data of the citizens for ‘Business Purposes’ even after the purpose of collection has been fulfilled.

This Bill, if passed, shall usher a new regime of Data Protection in our Country. This Bill seems to be less inspired by EU’s GDPR than the fraternity may be hoping, but it seems like a new step in the new direction.

Watch this space for more information!