New Delhi: The Digital Personal Data Protection Bill, 2023, was approved by the Lok Sabha on Monday. The Bill outlines regulations for companies that collect data online while allowing exceptions for the Government and law enforcement agencies.
Digital Personal Data Protection Bill, 2023
The proposed Bill aims to effectively manage and regulate digital personal data by striking a balance between individuals’ right to protect their data and the lawful processing of such data for relevant purposes.
The text of the Bill states, ‘This legislation seeks to establish provisions for the appropriate handling of digital personal data, taking into consideration both the fundamental right of individuals to safeguard their personal information and the necessity to lawfully process such data for legitimate purposes and related matters.’
Key Highlights of the Bill:
- The Digital Personal Data Processing Bill will have jurisdiction over the collection and handling of digital personal data in India, whether collected online or offline and subsequently digitized.
- Additionally, the Bill will extend its reach to the processing of personal data outside India if it is done with the intention of offering goods or services within India.
- Personal data can only be processed for lawful purposes and with the consent of the individual concerned.
- However, consent may not be necessary for specific legitimate uses, such as voluntary data sharing by the individual or data processing carried out by the State for the issuance of permits, licenses, benefits, and services.
- Data fiduciaries will have a responsibility to ensure the accuracy and security of the data and delete it once its purpose has been fulfilled.
- The Bill grants individuals certain rights, including the right to access information, request corrections and deletions, and seek redressal for grievances.
- In the interest of specified grounds such as state security, public order, and prevention of offenses, the central government may exempt government agencies from certain provisions of the Bill.
- The Data Protection Board of India, established by the central government, will handle cases of non-compliance with the Bill’s provisions.
On the other hand, the bill has its back draws such as:
- Exemptions to data processing by the State on grounds such as national security may result in the collection, processing, and retention of data beyond what is necessary. This has the potential to infringe upon the fundamental right to privacy.
- The Bill fails to regulate the risks of harm that may arise from the processing of personal data.
- The Bill does not provide the data principal with the right to data portability and the right to be forgotten.
- Except for countries notified by the central government, the Bill permits the transfer of personal data outside of India. However, this mechanism may not guarantee sufficient evaluation of data protection standards in these countries.
- The members of the Data Protection Board of India will be appointed for a two-year term and will have the opportunity for re-appointment. However, this short term with the possibility of re-appointment may impact the independent functioning of the Board.
The Bill, which will now be reviewed by the Upper House, also includes amendments to the Right to Information Act, 2005, removing exemptions on disclosing personal information in the public interest.
