The Rajya Sabha on Wednesday passed the Digital Personal Data Protection Bill, 2023 which aimed at safeguarding citizen’s right to personal information, and ensuring need to use personal data for lawful purposes.
“The Rajya Sabha has approved the Digital Personal Data Protection Bill 2023. This Bill, currently pending presidential assent, is poised to reshape how businesses handle personal data within India. Notably, the Bill introduces a negative-list approach for cross-border data transfers, allowing data flow to all jurisdictions by default, unless expressly prohibited. However, stricter local laws governing data transfer will take precedence,” says Supratim Chakraborty, Partner, Khaitan & Co.
“The DPDP Bill 2023 is a much-needed leap in the right direction as it establishes the rights and duties of ‘Data Principals’, the owners of data, and the obligations and liabilities of ‘Data Fiduciaries’, who collect, store, and process the data,” says Sivarama Krishnan, Partner & Leader, Risk Consulting, PwC India.
“Even as the finer details of the Bill will be clearer in days to come, it's highly recommended that enterprises start their journey towards privacy maturity now. This Bill touches the lives of more Indian citizens and businesses than any other law in recent times,” Krishnan adds.
Provisions of the bill will apply to digital personal data within India collected both online or offline and is digitised. Processing of personal data outside will also come under the ambit of the bill if it is for offering goods or services in India.
The bill lays down that the provisions of the Act will not apply to the processing of the personal data by an instrumentality of the state, as notified by the Central government citing sovereignty and integrity of India, security of the State, friendly relations with foreign States, and maintenance of public order, among others.
Responding to the concerns IT and Communications minister Ashwini Vaishnav said while moving for the passage of the bill in Lok Sabha, “If a natural disaster takes place, forms and notices for processing personal data should be a priority for the government or safety of citizens should be accorded a priority.”
“If the police is investigating a case and is going to nab an offender, will they adhere to forms seeking permission (for processing data) or will go ahead with their job,” Vaishnaw said.
On concerns that the bill dilutes the provisions of the RTI Act, 2005, the IT minister said that the harmonisation that was required to be done between the RTI Act and the Digital Personal Data Protection Bill has been done. The RTI Act, currently allows the disclosure of the personal information of officials in public bodies if it is in public interest, which the data protection bill disallows. “The three principles of Puttaswamy judgment have been incorporated in the bill,” Vaishnaw said.
Vaishnaw added that the Section 2B defines the loss which could be compensated through the law of torts. Right to be forgotten is in Section12 in the form of the right to be erased while the Section 16 of the bill has clear provisions for data localisation.