The Lok Sabha on 3rd August 2023 has introduced the Digital Personal Data Protection Bill, 2023, a Bill to provide for the processing of digital personal data in a manner that recognizes both the right of individuals to protect their personal data and the need to process such personal data for lawful purposes and for matters connected therewith or incidental thereto.
Salient features of the Bill
Applicability Exemptions: The Act does not apply to non-automated processing of personal data. Offline personal data is exempted from the Act’s provisions. Personal data processed by an individual for personal or domestic purposes is excluded. Personal data about an individual contained in a record existing for at least 100 years is exempt.
Grounds for Processing: Personal data can be processed based on the provisions of the Act and Rules made under it. Processing must be for a lawful purpose, consented to by the Data Principal, and not expressly forbidden by law.
Notice Requirements: Data Fiduciaries must provide clear, itemized notices to Data Principals before seeking consent. If consent was obtained before the Act’s commencement, a notice must be given as soon as practicable. Notice can be a separate document, electronic form, or part of the same document. Data Principals have the right to access notices in their preferred language.
Consent Rules: Consent must be freely given, specific, informed, and signify agreement through affirmative action. Consent must be presented in clear language with Data Protection Officer’s contact details. Data Principals can withdraw consent, affecting subsequent processing but not prior lawful processing. Withdrawal of consent should be as easy as giving consent. Consent can be managed through a Consent Manager, a registered entity enabling consent management.
Deemed Consent: Data Principals are deemed to consent if they voluntarily provide data for specific purposes. Consent is deemed for certain legal, medical, safety, employment, and public interest purposes. Certain processing, like tracking children or targeted advertising, is not allowed.
Obligations of Data Fiduciary: Data Fiduciaries are responsible for compliance regardless of agreements or non-compliance by Data Principals. They must ensure data accuracy, take security measures, and notify of breaches. Retention of data should be based on purpose and legal/business needs. They must appoint a Data Protection Officer, publish contact info, and have grievance mechanisms.
Rights & Duties of Data Principals: Data Principals have the right to information, correction, erasure, and grievance redressal. They can nominate someone to exercise rights in case of death or incapacity. Data Principals must comply with applicable laws, provide accurate information, and not file false grievances.
Significant Data Fiduciaries: Some Data Fiduciaries may be designated Significant, needing additional obligations like appointing Data Protection Officers and Independent Data Auditors.
Exemptions: Rights of the data principal and obligations of data fiduciaries (except data security) will not
apply in specified cases. These include: prevention and investigation of offences, and enforcement of legal rights or claims. The central government may, by notification, exempt certain activities from the application of the Bill such as processing by government entities in the interest of the security of the state and public order, and research, archiving, or statistical purposes.
Processing of personal data of children: While processing the personal data of a child, the data fiduciary must not undertake: (i) processing that is likely to cause any detrimental effect on the well-being of the child, and (ii) tracking, behavioural monitoring, or targeted advertising.
Cross-border transfer: The Bill allows the transfer of personal data outside India, except to countries restricted by the government through notification.
Penalties: The schedule to the Bill specifies penalties for various offences such as up to: (i) Rs 200 crore for non-fulfilment of obligations for children, and (ii) Rs 250 crore for failure to take security measures to prevent data breaches.