The Data Personal Protection Bill, 2023, was passed by the Rajya Sabha on August 9. The bill provides for the processing of digital personal data in a manner that recognises both the rights of the individuals to protect their personal data and the need to process such personal data for lawful purposes and for related matters.

COMMERCIAL BREAK
SCROLL TO CONTINUE READING

The bill that proposes a regulatory framework for use of personal data by private and government entities was earlier passed by the Lok Sabha on August 7 in the on-going Monsoon session of Parliament.

Key proposals of the Data Personal Protection Bill 2023

The Data Personal Protection Bill 2023 deals with digital personal data (or the data through which a person can be identified). It lists the financial penalties for breach of rules and compliances. The bill also lays down the rules regarding entities, companies or persons who will collect, store or perform any other operation on personal data (Data Fiduciaries).

The bill aims to limit use of personal data only for specific purposes. It is based on the principles of accountability, storage limitation and consented, lawful and transparent use of personal data.

How does the Data Personal Protection Bill protect the privacy of the common man?

The bill gives individuals to whom the data relates (Data Principals) to approach the Data Fiduciaries for enforcement of their rights. According to the bill, personal data can be processed only for “legitimate uses” after taking the consent of the Data Principals. The Data Fiduciary must give “in clear and plain language” details about the personal data sought and the purpose of the collection.

The bill proposes the creation of a Data Protection Board of India to monitor compliance with the rules and to impose penalties in case of any breach. The bill provides for fines of up to Rs 200 crore for non-fulfilment of obligations for data related to children. For failure to take security measures and data breaches, a penalty of up to Rs 250 crore can be levied.

According to the proposed regulatory framework, Data Fiduciaries will have to maintain the accuracy of the data and delete it once its purpose is fulfilled. The proposed guidelines will apply to processing of digital personal data outside India as well, if it pertains to offering goods and services in the country.

The bill also grants certain rights to individuals for grievance redressal, to obtain information, seek correction and erasure.

The bill is based on the principle of consent, but in certain cases, a person has to give their consent for the processing of personal data such as medical emergencies and provision of benefits by the government.

The Data Personal Protection Bill may exempt government agencies from its regulations in the interest of security, public order, and prevention of offences. This has led some people to criticise the bill on the grounds that it would dilute the provisions of the Right to Information Act.