The Lok Sabha is set to take up the Digital Personal Data Protection Bill 2023 for consideration and passing today. The bill was introduced by Communications, Electronics & Information Technology minister Ashwini Vaishnav on August 3.
The bill seeks to ensure that processing of digital personal data should ensure individual’s right to safeguard their personal information, and also focuses on the need to use personal data for lawful purposes.
Provisions of the bill will apply to digital personal data within India collected both online or offline and is digitised. Processing of personal data outside will also come under the ambit of the bill if it is for offering goods or services in India.
“Personal data may be processed only for a lawful purpose after obtaining the consent of the individual. A notice must be given before seeking consent. The notice should contain details about the personal data to be collected and the purpose of processing,” said PRS Legislative research in a note on the provisions of the bill.
“An individual whose data is being processed (data principal), will have the right to obtain information about processing, seek correction and erasure of personal data, nominate another person to exercise rights in the event of death or incapacity, and grievance redressal. Data principals will have certain duties. They must not register a false or frivolous complaint, and furnish any false particulars or impersonate another person in specified cases. Violation of duties will be punishable with a penalty of up to ₹10,000,” it added.
To monitor compliance and impose penalties for the contravention of the law, the government will set up Data Protection Board of India. “The schedule to the Bill specifies penalties for various offences such as up to ₹200 crore for non-fulfilment of obligations for children, and Rs 250 crore for failure to take security measures to prevent data breaches. Penalties will be imposed by the Board after conducting an inquiry,” the note said.
Experts are of the view that the enterprises will soon have to revamp their data protection and privacy measures to comply with the bill. “The Digital Personal Data Protection Bill, 2023 has finally been introduced before the Indian Parliament and seeks to overhaul India’s aged and rudimentary data protection framework. The DPDP Bill is the fourth and most recent version of India’s proposed data protection law – since the Supreme Court of India in 2017 held that privacy is a fundamental right under the Constitution of India,” said Probir Roy Chowdhury, partner, J Sagar Associates.
“Enterprises with business in India will have to revamp their data protection and privacy measures to ensure compliance with the obligations imposed under the DPDP Bill. While the DPDP Bill has not yet been passed into law, the absence of a sunset/implementation period means that stakeholders should ensure that they are ready to comply as soon as the DPDP Bill is enacted,” Chowdhury added.