Unpacking the Digital Personal Data Protection Bill 2023: Your Data, Your Rights

Key Elements of the 2023 Digital Personal Data Protection Act

1. The Protection of Digital Personal Data: The Bill's primary objective is to protect digital personal data, which includes any data that can be used to identify an individual. It does so by imposing specific obligations on Data Fiduciaries, who are entities that process personal data, including individuals, companies, and government bodies.

2. Rights and Duties of Data Principals: The Bill recognizes the importance of the individuals' rights concerning their personal data. Data Principals, who are the individuals to whom the data relates, have specific rights and duties outlined in the legislation. These rights include the right to access information about their personal data, correction, erasure, grievance redressal, and the right to nominate someone to exercise these rights in case of incapacity or death.

3. Financial Penalties for Breach: To ensure compliance, the Bill imposes financial penalties for breaches of rights, duties, and obligations. This penalty mechanism serves as a deterrent to prevent misuse of personal data.

4. Seven Foundational Principles: The Bill is built upon seven core principles that guide the processing of personal data:

• i. Consented, Lawful, and Transparent Use of Personal Data: Data can only be processed with the consent of the Data Principal and for lawful and transparent purposes.
• ii. Purpose Limitation: Personal data can only be used for the specific purpose for which consent was obtained.
• iii. Data Minimization: Only the necessary personal data required to serve the specified purpose should be collected.
• iv. Data Accuracy: Ensuring that the data is correct and up-to-date.
• v. Storage Limitation: Personal data should only be stored for as long as needed for the specified purpose.
• vi. Reasonable Security Safeguards: Measures must be in place to protect data from breaches.
• vii. Accountability: The Bill establishes a system for adjudicating data breaches and penalties for non-compliance.

5. Innovative Features of the Bill: The Bill is designed to be SARAL (Simple, Accessible, Rational & Actionable Law), using plain language and containing illustrations for clarity. It introduces gender neutrality in parliamentary law-making by using "she" alongside "he."

6. Grievance Redressal Mechanism: Data Principals can enforce their rights by initially approaching the Data Fiduciary. If unsatisfied, they can file complaints with the Data Protection Board, ensuring a hassle-free grievance redressal process.

7. Data Fiduciary Obligations: Data Fiduciaries have several obligations, including implementing security safeguards, reporting data breaches, erasing data when no longer needed, and maintaining grievance redressal systems. Significant Data Fiduciaries must appoint data auditors and conduct periodic Data Protection Impact Assessments for enhanced data protection.

8. Protection of Children's Personal Data: The Bill places specific safeguards on the processing of children's personal data, requiring parental consent. It prohibits processes detrimental to children's well-being, such as tracking, behavioral monitoring, or targeted advertising.

9. Exemptions in the Bill: Certain exemptions are provided for specific purposes, such as national security, research, or startups. The Bill also allows processing of personal data of non-residents under foreign contracts and facilitates approved mergers and demergers.

10. Functions of the Data Protection Board: The Data Protection Board is tasked with addressing data breaches, investigating complaints, imposing penalties, and facilitating Alternate Dispute Resolution. It can also recommend blocking websites or apps of Data Fiduciaries who repeatedly breach the Bill's provisions.

Advantages of the Digital Personal Data Protection Bill 2023:

1. Privacy Enhancement/ Protection of Privacy: The bill aims to enhance the privacy rights of Indian citizens, empowering them to have greater control over their personal data.

The bill acknowledges the importance of privacy as a fundamental right. It aims to protect individuals from potential harm, including financial loss, loss of reputation, and profiling, caused by the unchecked processing of their personal data.

2. Compliance and Security: It sets robust protection and security measures, along with effective privacy policies and grievance redressal mechanisms, promoting better compliance and data security.

3. Prevention of Data Breaches and Data Security Measures: The bill includes multiple exemptions to prevent data breaches, which have become a growing concern, ensuring that personal data is kept safe.

Data fiduciaries are required to establish reasonable security safeguards to prevent data breaches. In case of a breach, they must promptly inform the Data Protection Board and affected individuals.

4. Framework for Multiple Legislation: The bill encompasses a multi-pronged approach, providing a framework for various legislative measures related to digital India, telecommunications, and non-personal data governance.

5. Consent Requirement: The bill enforces the need for obtaining consent from individuals before processing their personal data, ensuring that data processing is lawful and transparent.

6. Data Principal Rights: It empowers individuals (data principals) with various rights, such as the right to access information about data processing, the right to correct and erase personal data, and the right to nominate a representative in case of death or incapacity.

7. Transfer of Personal Data: The bill allows for the transfer of personal data outside India while enabling the central government to restrict data transfers to countries that do not meet certain standards.

8. Data Protection Board: The establishment of the Data Protection Board of India will monitor compliance and impose penalties, ensuring accountability in data processing.

Disadvantages of the Digital Personal Data Protection Bill 2023:

1. Fundamental Rights: Some critics argue that the bill violates the fundamental right to privacy, as it provides exemptions to the State on grounds like national security.

Startups and other entities may be exempt from providing notice for consent, potentially hindering an individual's ability to provide informed consent.

2. Regulation Gaps: The bill does not adequately regulate harms arising from the processing of personal data, potentially exposing individuals to various risks, such as financial loss, discrimination, and unreasonable surveillance.

3. Missing Rights: It does not grant certain important rights, such as the right to data portability and the right to be forgotten, which are crucial for data principals' control over their data.

The bill allows the State to override an individual's consent for purposes like providing benefits and services, removing the principle of purpose limitation, which is essential for data privacy.

4. International Data Transfer: The bill's mechanism for cross-border data transfer does not require an exhaustive evaluation of data protection standards in other countries, which may not provide adequate protection to Indian citizens' data.

5. Independence and Short Term of the Data Protection Board: The short term (2 years) of the members of the Data Protection Board of India, with the possibility of reappointment, may raise concerns about the board's independent functioning.

6. Exemptions: The bill includes multiple exemptions, including those related to national security, which some argue resemble data regulations in China and could impact transparency.

The bill provides exemptions to government agencies (the State) in various cases, potentially allowing unchecked data processing, which could violate the right to privacy. These exemptions could result in data collection, processing, and retention beyond what is necessary.

7. Right to Information Act: It protects personal data of government functionaries, making it challenging to share with Right to Information (RTI) applicants.

8. Lack of Compensation: Unlike the IT Act, 2000, the bill excludes the application of Section 43A, which obliges corporates to award damages to affected persons in case of negligent handling of their sensitive data.

9. Children's Data: The bill's definition of a child (below 18 years of age) differs from international standards. The requirement to verify parental consent may reduce anonymity in the digital sphere, and the lack of clarity on what constitutes detrimental effects on a child's well-being is a concern.

10. Drafting Issues: Some sections of the bill have drafting issues that need clarification and correction.

While the Digital Personal Data Protection Bill 2023 introduces important measures to protect personal data, it also faces criticism for its exemptions and potential shortcomings in safeguarding fundamental rights and regulating data processing. The bill represents a step forward in data protection for India but may require further refinement and scrutiny to address these concerns effectively.