Government Presents Digital Personal Data Protection Bill, 2023, in Lok Sabha
This new legislation emphasizes the necessity for digital platforms to secure clear and informed consent from users before engaging in any data processing activities. This consent can be withdrawn by users at any time, compelling platforms to halt data processing and erase the pertinent information. Interestingly, the Bill also allows the transfer of personal data to any foreign country except for those that might be blacklisted by the government in the future.
A result of over four years of dedication, extensive discussions, and numerous revisions, the Bill sets forth a novel framework in comparison to its predecessors.
In a positive turn for the industry, this Bill sanctions cross-border data transfers and introduces the concept of voluntary acknowledgments of data breaches, thus removing the criminal penalties that were initially laid out in the 2019 draft.
In specific scenarios such as medical emergencies, disasters, court orders, and government agency requirements, the Bill permits data processing without requiring user consent. Moreover, each digital platform must furnish a notice detailing the purpose of data processing and users' rights, presented in all of the 22 official languages. Platforms that have already amassed personal data are obliged to notify users, granting them the choice to retract their given consent.
It's important to note that the Bill does not cover anonymized, non-personal, or offline personal data, and refrains from categorizing data into sensitive or critical classifications. For the purpose of minimizing legal disputes, the Bill incorporates provisions for alternative dispute resolution (ADR). Should this law be enacted, it would play a pivotal role in India's swiftly expanding digital economy.
To supervise and penalize personal data breaches, an autonomous entity known as the Data Protection Board will be established. If the board determines that a platform has neglected to implement "reasonable security safeguards" against data breaches, it holds the power to impose fines reaching up to Rs. 250 crore. Failure to comply with obligations relating to children's data may attract a penalty of Rs. 200 crore.
However, the government has the liberty to exempt specific entities, including startups, from adhering to certain provisions in the Bill, contingent on the scale and nature of the personal data they handle. Likewise, government agencies might also be excluded under certain conditions.
As per the provisions of the proposed law, platforms are required to obtain verifiable consent from a parent or legal guardian before processing the personal data of individuals below 18 years old or persons with disabilities. Certain categories of platforms could be exceptions to this rule. Processing personal data that could potentially harm a child's well-being is forbidden, as is the tracking, monitoring, and targeted advertising directed at children.
In cases of disagreement with decisions made by the board, recourse can be sought through the Telecom Disputes Settlement and Appellate Tribunal (TDSAT). The Bill outlines the overarching principles of data protection, leaving the detailed legal requirements to be specified once the government outlines the regulations after the Bill's passage.
The journey of the Bill commenced in 2017, triggered by the Supreme Court's recognition of the right to privacy as a fundamental citizen right. The Ministry of Electronics and Information Technology convened a panel of experts led by Justice BN Srikrishna, which formulated the Draft Personal Data Protection Bill, 2018. This draft was presented to Parliament in 2019, with certain amendments. However, following 81 amendments and 12 recommendations proposed by a joint parliamentary committee, the government withdrew the draft last year.
In November 2022, a new draft was put forth for public consultation, and the government received a staggering 21,666 suggestions from industry stakeholders and legal experts.
