The Digital Personal Data Protection Bill, 2023

The Digital Personal Data Protection Bill, 2023

News: The President of India Droupadi Murmu granted assent to the Digital Personal Data Protection Bill, 2023 (DPDP Bill) after it was passed by both the houses of the parliament.

What is the need of DPDP bill?
• Personal Data of individuals is processed by different entities to understand the preferences of individuals which can be used in customization, targeted advertisements and can be used in law enforcement as well.
• Unchecked processing of personal data can lead to several consequences including risking privacy of individuals, financial loss, political profiling etc
• Prior to this comprehensive bill, India didn’t have a proper law on data protection with some of provisions within IT Act, 2000 governing the personal data protection. The SC in the Puttuswamy Judgement upheld the Right to Privacy as a Fundamental right under Article 21 of the Constitution and Justice B N Srikrishna Committee on Data protection, JPC on Personal Data protection 2019 provided several inputs on Personal data protection in India.

What are the key highlights of the Bill?
• The Bill will apply to the processing of digital personal data within India where such data is collected online, or collected offline and is digitized. It will also apply to such processing outside India, if it is for         offering goods or services in India.
• Personal data may be processed only for a lawful purpose upon consent of an individual. Consent may not be required for specified legitimate uses such as voluntary sharing of data by the individual or processing by the State for permits, licenses, benefits, and services.
• Data fiduciaries will be obligated to maintain the accuracy of data, keep data secure, and delete data once its purpose has been met.
• The Bill grants certain rights to individuals including the right to obtain information, seek correction and erasure, and grievance redressal.
• The central government may exempt government agencies from the application of provisions of the Bill in the interest of specified grounds such as security of the state, public order, and prevention of offences.
• The central government will establish the Data Protection Board of India to adjudicate on noncompliance with the provisions of the Bill.

What are the key issues around the bill?
• Exemptions to data processing by the State on grounds such as national security may lead to data collection, processing, and retention beyond what is necessary. This may violate the fundamental right to privacy.
• The Bill provides that the central government may restrict the transfer of personal data to certain countries through a notification. This implies the transfer of personal data to all other countries without any explicit restrictions will inadvertently lead to vulnerability of data breaches in those countries putting personal data of citizens at risk.
• The Bill provides that members of the Data Protection Board of India will function as an independent body. Members will be appointed for two years and will be eligible for re-appointment. A short term with the scope for re-appointment may affect independent functioning of the Board.
• The Bill empowers the central government to exempt processing by government agencies from any or all provisions, in the interest of the security of the state and maintenance of public order. The Bill does not require government agencies to delete personal data, after the purpose for processing has been met. Using the above exemptions, on the ground of national security, a government agency may collect data about citizens to create a 360-degree profile for surveillance.
• The Bill does not provide for the right to data portability and the right to be forgotten.
• The Bill does not regulate risks of harms arising out of processing of personal data. The Srikrishna Committee (2018) had observed that harm is a possible consequence of personal data processing. Harm may include material losses such as financial loss and loss of access to benefits or services. It may alsoinclude identity theft, loss of reputation, discrimination, and unreasonable surveillance and profiling. It had recommended that harms should be regulated under a data protection.
• The Bill does not protect data that is made publicly available by an individual or anyone else. Data protection norms around the world extend obligations to publicly available data too.

What does the Bill say about children and their data privacy?
• Under the DPDP Bill, people under the age of 18 are considered minors.
• It places three conditions on data processing entities for children’s data – i) Obtaining “verifiable parental consent”, ii) not causing harm to children, and iii) not tracking or monitoring children or targeting ads at them.
• The Bill requires all data fiduciaries to obtain verifiable consent from the legal guardian before processing the personal data of a child. A sizable number of children will need to seek parental consent for services they can easily access right now.
• There are questions about how data processing entities will verify the age of children and obtain parental consent. If every data fiduciary will have to verify the age of everyone signing up for its services, anonymity in the digital sphere may be reduced.

What are the positive aspects of the Bill?
• The Bill is written in concise, straightforward and uncomplicated manner with minimum use of legal jargon.
• Due to the pace of innovation and disruption in the tech sector, the Bill focusses on principles and outcomes rather than modes and processes. This will enhance the longevity of the bill and also give businesses flexibility in achieving compliance.
• Businesses will benefit from the light-touch and facilitative approach of the Bill towards personal data protection.
• The rationalized and minimally intrusive data protection regime will attract global tech investments.
• The bill will provide impetus to the startup ecosystem and boost its global competitiveness.

Conclusion
• The DPDP 2023 is an all-encompassing and progressive bill that will evolve over the years. It will attract investments and at the same time ensure the Personal Data of Citizens of India is safe and secure.