The Digital Personal Data Protection Bill (DPDPB), 2023

The Digital Personal Data Protection Bill (DPDPB), 2023

Essential Rules | Application of Rules | Putting into Action 

The DPDPB was presented in August 2023 and gained acceptance in both parliamentary houses. After obtaining the President’s approval, the Bill will convert into a law. This represents a noteworthy achievement, emphasizing the significance of the Data Protection Board of India, its fundamental rules, and the responsibilities of both entities and individuals. 

Amidst the rapid pace of the digital era, the Digital Personal Data Protection Bill of 2023 represents a significant stride towards safeguarding the privacy rights of individuals and advocating for responsible practices in managing data. This innovative legislation acknowledges the ever-increasing importance of protecting personal data and strives to find a balanced approach between individual rights and the legitimate data-handling needs of organizations. 

The primary objective of this Bill is to oversee the handling of digital personal data and uphold individuals’ right to safeguard their information, all while acknowledging the necessity of processing and using such data for lawful purposes. The language used in the Bill is clear and uncomplicated, making it easily understandable for everyone. Additionally, the Bill seeks to establish a comprehensive legal structure to govern the protection of digital personal data in India. 

Overview of the Law  

On August 9, 2023, the Digital Personal Data Protection Bill (DPDPB) for the year 2023 was endorsed by both chambers of the Parliament, signifying India’s inaugural all-encompassing privacy statute. This Bill is tailored to oversee the management of digital personal data, recognizing the rights of individuals to protect their private details, as well as the lawful intentions of organizations to process such data. Following endorsement by the appropriate authority, it will be established as a formal regulation. 

Main Elements of the Legislation Scope

The legislation outlines personal data as any particulars that have the potential to directly or indirectly discern an individual’s identity. This includes the manipulation of personal data in digital form within the geographical boundaries of India, as well as personal data that has been transformed into a digital format from non-digital sources. Furthermore, the legislation’s purview extends to the management of digital personal data outside of India, as long as it pertains to providing commodities or services to individuals in the country. 

However, the legislation excludes personal data managed by individuals for personal or home-related intentions, as well as data that is accessible to the public. 

Organization of the Law  

The legislation is structured into 6 chapters, which include 33 sections along with one schedule delineating the consequences for failing to comply. 

Stakeholders 

As per the legislation, the term “data principals” incorporates individuals residing in India, as well as parents or legal guardians of minors1 and individuals with disabilities. Furthermore, the legislation provides explanations for the subsequent primary entities: 

  • Organization’s Representative or Data Processor: Any individual handling personal data on behalf of a data fiduciary.
  • Appeals Tribunal (Telecom Disputes Settlement): This tribunal addresses appeals and grievances concerning orders or instructions issued by the Data Protection Board of India.
  • Consent overseers: Individuals authorized by data principals to oversee, evaluate, and revoke consent using a platform that is accessible, clear, and compatible, all while being registered with the Board.
  • Data Protection Officer (DPO): A person designated by a significant data fiduciary to fulfill responsibilities as outlined in the Bill.
  • Entity or data trustee: “Person” (encompassing organizations and groups) shaping the intention and methods of handling personal data. Specific data trustees might be classified as “significant data trustees” contingent upon the nature of the data they manage.
  • Oversight authority – the Data Protection Board of India (DPBI/Board): The principal governing body entrusted with the implementation of the Bill.

Entitlements and duties as per the Legislation Individuals with Data Rights The Bill confers upon individuals, referred to as data principals, the subsequent entitlements: 

Entitlements and duties as per the Bill  

Individuals with Data Rights The Bill confers upon individuals, referred to as data principals, the following entitlements: 

Data Fiduciary and Data Processor 

  • Compliance Responsibilities: Organizations are required to fulfill their duties as prescribed in the Bill, regardless of agreements or actions by data principals. This involves ensuring accurate and complete personal data for decision-making and disclosures, along with implementing appropriate technical and organizational measures for adherence. 
  • Notification: Data principals must receive notifications detailing the personal data being processed, the purpose of processing, avenues to exercise their rights, and contact information for reaching the Board, for both future data and data captured before the law’s enactment. These notifications should be presented in English or one of the 22 designated languages, depending on the preference of the data principal. 
  • Disclosures: Data fiduciaries must furnish information about all other data fiduciaries and data processors upon request from a data principal. 
  • Consent: Consent should be willingly given, specific, well-informed, unmistakable, and followed by a clear affirmative action for a designated purpose. 
  • Data Management: Data fiduciaries must ensure the precise and comprehensive handling of data, limiting it to predefined purposes. Data should be deleted once the processing purpose is achieved, unless mandated for compliance with other laws. Engaging data processors is only permissible through valid contracts. Data belonging to minors and persons with disabilities can only be processed with verified parental or guardian consent. Certain forms of processing, such as tracking, behavior monitoring, and targeted advertising directed at minors, are prohibited. 
  • Breach Notification: In the event of a data breach, both the Board and affected data principals must be informed. 
  • Significant Data Fiduciary: Organizations categorized under this group must designate a Data Protection Officer (DPO) based in India. They are also required to undertake additional measures, including Data Protection Impact Assessment and periodic data audits conducted by an independent data auditor. 

Transfer of Personal Data Outside India 

The Bill permits the unrestricted transfer of personal data outside India, except to countries explicitly restricted by the Central Government. Furthermore, the Bill accommodates and retains provisions for other Indian laws that might influence international data transfers. 

Consequences for Failure to Comply 

The Bill specifies various penalties for non-compliance, including:  

  • Inability to prevent a breach of personal data: Fines reaching up to INR 250 crore (approximately USD 30 million)
  • Neglecting to inform the Board and data principals about the breach: Penalties of up to INR 200 crore
  • Not meeting responsibilities during the processing of children’s data: Potential penalties of up to INR 200 crore
  • Failure to meet obligations by a significant data fiduciary: Penalties of up to INR 150 crore
  • Violation of any voluntary commitment made to the Board: Penalty equivalent to the extent of the breach
  • Other instances of non-compliance with the Bill’s provisions: Fines of up to INR 50 crore

The Central Government will institute the Board, a legal entity entrusted with enforcing the Bill. The Board’s authority and duties encompass providing directives and rules, identifying instances of non-compliance, imposing fines, issuing remedial directives, and probing infractions. 

Steps for Organizations to Get Ready for Compliance

To get ready for the Bill, organizations should undertake the subsequent measures:

  • Familiarise themselves with the law.
  • Conduct a comprehensive data inventory using data discovery techniques.
  • Create systems to furnish notifications to data principals regarding personal data acquired in the past and in the future.
  • Establish a consent management system to gather, retain, monitor, and refresh consent from individuals.
  • Develop and put in place mechanisms to address requests from data principals regarding their rights.
  • Keep track of alterations or revisions to data protection laws and regulations.
  • Guarantee the maintenance of valid contracts with data processors.

Get in Touch with Us 

Sonali Jha : sonali.jha@cunomial.com 

CEO Cunomial Technologies Private Limited

Share this content on Social Media

Leave a Reply

Your email address will not be published. Required fields are marked *