Key Elements of the Digital Personal Data Protection Bill, 2023

The proposed legislation outlines the processing of digital personal data, balancing individual rights to privacy with the necessity for lawful data utilization and related matters.

Key protections and provisions in the Bill include:

1. Data Fiduciary Responsibilities: Entities that handle data (including individuals, companies, and government bodies) must adhere to specific protocols regarding the collection, storage, and handling of personal data.
2. Data Principal Rights and Responsibilities: Individuals to whom the data pertains have clearly defined rights and responsibilities.
3. Penalties: The Bill enforces financial penalties for violations of the established rights, duties, and obligations.

The Bill aims to:

• Introduce data protection laws with minimal disruption, ensuring significant changes in data processing methods.
• Improve the Ease of Living and Ease of Doing Business.
• Support the growth of India’s digital economy and innovation landscape.

The legislation is founded on seven core principles:

• Consented, lawful, and transparent use of personal data.
• Purpose limitation, ensuring data is used only for its original intended purpose.
• Data minimization, collecting only necessary data.
• Data accuracy, maintaining correct and updated information.
• Storage limitation, retaining data only as long as needed.
• Implementation of reasonable security measures.
• Accountability, including adjudication and penalties for data breaches.

Innovative aspects of the Bill include:

• Clarity and simplicity, using straightforward language and helpful illustrations, avoiding complex legal provisions and excessive cross-referencing.
• Inclusion of gender sensitivity by using “she” in its text, a first in Parliamentary law-making.

Rights granted to individuals under the Bill:

• Access to personal data information.
• Rights to correct and delete personal data.
• Mechanisms for grievance redressal.
• The ability to appoint a nominee to manage their data rights in cases of death or incapacity.

For enforcement:

• Individuals can first approach the Data Fiduciary with grievances. If unsatisfied, they can escalate the issue to the Data Protection Board.

Data Fiduciary obligations include:

• Implementing security measures to prevent data breaches.
• Notifying parties about data breaches.
• Deleting unnecessary data or upon consent withdrawal.
• Establishing a grievance redressal mechanism and appointing a responsible officer.
• Additional responsibilities for Significant Data Fiduciaries, like appointing a data auditor and conducting periodic assessments.

Child data protection:

• Data pertaining to children can only be processed with parental consent.
• Prohibitions against processing that could harm children or involve invasive practices like tracking or targeted advertising.

Exemptions in the Bill cover:

• Specific agencies for national security and public order.
• Research and statistical purposes.
• Startups and certain Data Fiduciaries.
• Legal, judicial, and regulatory functions.
• Crime prevention and legal investigations.
• Processing non-resident data under foreign contracts.
• Corporate restructuring like mergers or demergers.
• Locating financial defaulters.

The Board’s functions include:

• Directing remediation for data breaches.
• Investigating breaches and imposing penalties.
• Facilitating Alternate Dispute Resolution.
• Advising on actions against non-compliant Data Fiduciaries, including blocking websites or apps