Digital Personal Data Protection Bill, India | The 11 Most Important Things to Know About India’s Digital Data Protection Law

With digitization accelerating, vast volumes of sensitive personal data are being collected and processed online (Digital Personal Data Protection) – from financial information to biometric data. This exponential rise of digital footprints has made personal data protection a critical need today. Responding to this need, the landmark Digital Personal Data Protection Bill 2023 has been introduced in Parliament. Touted as a game-changer for digital privacy rights in India, the Bill significantly enhances safeguards for individuals while enabling lawful data use.

The Bill requires entities that process personal data, called Data Fiduciaries, to be transparent on data use and sharing. People get the right to access their data and file complaints for data misuse. Stringent consent mechanisms aim to minimize harm from profiling and surveillance. Mandatory audits, impact assessments, and compliance officers are now applicable for major data collectors termed Significant Data Fiduciaries. Restrictions can be imposed on cross-border data transfers. Alongside empowering individuals, the Bill provides reasonable exemptions to balance privacy with national interests. Overseeing implementation is a Data Protection Authority with inquiry powers and mechanisms for reactive and proactive enforcement.

With its stressed consent, proactive risk management, and responsive redressal, the Bill marks a major milestone in India’s digital rights journey. It seeks to usher in both new legislation and a new social contract to protect digital footprints in the digital age.


Consent and Transparency Requirements

  1. Consent must be free, specific, informed, clear, and revocable
  2. This applies to both collecting new data and existing data
  3. The notice must be given on data usage and sharing
  4. Consent requests must be in clear language and multiple formats
  5. Data Fiduciary must prove valid consent was obtained
  6. Consent Managers can enable consent flows for data principals
  7. Transparency on contact details for grievances and data usage


Rights and Responsibilities of Individuals

  • Access personal data held, purposes, sharing, and other details
  • Get inaccuracies corrected and incomplete data completed
  • Right to erasure and restrict disclosure of personal data
  • File complaints for data misuse and non-compliance
  • Nominate individuals to exercise rights in case of death/incapacity
  • Provide authentic information, not impersonate others illegally
  • Responsible usage, avoiding false grievances and information


Obligations of Data Fiduciaries

  1. Lawful processing ground – consent or certain legitimate purposes
  2. Reasonable security against data breaches
  3. Notify Board and data principals in case of data breaches
  4. Appoint Data Protection Officer (for Significant Fiduciaries)
  5. Additional obligations like audits and impact assessments
  6. Respond to user grievances within the defined timeframe
  7. Retain data only as long as necessary for processing purposes


Role and Powers of Data Protection Authority

  • The Data Protection Board of India oversees the implementation
  • Powers to investigate complaints and personal data breaches
  • Can conduct inquiries for compliance and impose penalties
  • Issue directions for remedial action in case of violations
  • Hear appeals against orders of Data Fiduciaries
  • Refer cases for mediation and other dispute resolution
  • Accept voluntary assurances of compliance from entities
  • Register and oversee Consent Managers


Exemptions for National Interests

  1. Exemptions for processing necessary for legal rights, judicial functions, prevention of crimes, compliance with judgments, responding to medical emergencies, public health measures, disaster response
  2. Exemptions also for certain State functions like security, public order, friendly foreign relations
  3. Reasonable exemptions for startups and entities with low risk/sensitivity
  4. Research, archiving, and statistical data processing exemptions
  5. Temporary exemptions can be granted for wider categories


Cross-border Data Transfer Provisions

  • Central Government can notify restrictions on overseas data transfers
  • Aims to protect against misuse in foreign jurisdictions with weak protection
  • Transfer allowed where necessary for a contract with the person outside India
  • Reasonable restrictions as per international standards and agreements
  • Special provisions for sensitive personal data


Scope and Coverage of the Bill

  1. Applicable to processing of personal data collected, stored, or processed digitally within India
  2. Also applies to overseas processing if related to offering goods/services to Indians
  3. Excludes personal data processing for domestic or personal purposes
  4. Also excludes publicly available personal data

Key Definitions and Salient Aspects

  • Personal data – data about an identifiable individual
  • Sensitive personal data – financial, health, biometric, genetic, sexual orientation, religious beliefs data
  • Digital and non-digital data are covered but focus on digital
  • Consent, transparency, accountability, and security requirements
  • Grievance redressal systems and penalties
  • Conditions for cross-border data transfers


Significant Enhancements in Digital Privacy

  1. Consent is proposed as the lawful basis for processing personal data
  2. Rights-based approach with user rights and consent flows
  3. Additional obligations for significant data collectors
  4. Responsive grievance redressal provisions
  5. Cross-border transfer controls
  6. Exemptions balanced with individual rights


Amendments to Existing Laws

  • Related amendments proposed to Information Technology Act, Telegraph Act, RTI Act
  • Section 43A of the IT Act omitted; overlap with new data protection provisions
  • Section 81 proviso added for the new law; Section 87 amended
  • Exemptions under RTI Act updated in line with privacy protection needs


Digital Personal Data Protection
Digital Personal Data Protection

The 11 Most Important Things to Know About India’s Digital Data Protection Law | Digital Personal Data Protection

  1. Consent-based approach with data principal rights
  2. Notice and transparency requirements
  3. Responsibilities and obligations of data fiduciaries
  4. Exemptions for security, judicial functions, etc.
  5. Provisions for cross-border data transfers
  6. Data Protection Authority with inquiry powers
  7. Penalties for non-compliance
  8. Grievance redressal systems
  9. Restrictions on high-risk data processing
  10. Reasonable exemptions for startups, etc.
  11. Amendments to IT Act, Telegraph Act, and RTI Act


Conclusion for Digital Personal Data Protection:

The Digital Personal Data Protection Bill marks a new chapter in India’s digital governance.

With its consent-based approach, proactive safeguards, and grievance mechanisms, the Bill aims to empower individuals with more control over their digital footprints.

This first-of-its-kind legislation can enable responsible data utilization while protecting digital privacy.

As users, we must complement legal safeguards through caution in sharing personal data online.

Digital Personal Data Protection
Digital Personal Data Protection


Q: What is the Digital Personal Data Protection Bill?

A: It is a comprehensive legal framework introduced in India to govern the processing of personal data collected, stored, and processed digitally, with provisions for individual consent, rights, transparency, and accountability.

Q: When was the Digital Personal Data Protection Bill introduced?

A: The Digital Personal Data Protection Bill, 2023 was introduced in the Lok Sabha on 29th July 2023. It is yet to be passed.

Q: What are the key features of the Digital Personal Data Protection Bill?

A: Salient aspects include consent-based processing, data principal rights, obligations for data fiduciaries, grievance redressal systems, penalties for non-compliance, and exemptions balancing individual rights and national interests.

Q: Who will oversee the implementation of the Digital Personal Data Protection Bill?

A: The Bill provides for the setting up of a Data Protection Board of India that will oversee implementation, inquiries, and enforcement once the law is passed.

Q: When will the Digital Personal Data Protection Bill come into effect?

A: The Bill is yet to be passed by Parliament. The date of enforcement will be notified once it becomes an Act. Some key provisions may have deferred applicability.

Golden Quotes:

“Personal data protection is the new currency of the digital age.”


Leave a Comment