The Digital Personal Data Protection Bill, 2023, is set to be tabled in the Rajya Sabha on Wednesday. The Bill was
passed in the Lok Sabha on August 7. The bill seeks to establish a robust framework for the protection of personal data in the digital realm.
CNBC-TV18 has obtained exclusive access to the draft of the bill, revealing significant changes and provisions aimed at safeguarding individuals' data rights, regulating data fiduciaries, or entities collecting personal data, and ensuring proper enforcement through a dedicated Data Protection Board.
Here are the key takeaways from the draft:
Obligations of Data Fiduciary
Data fiduciaries, which are entities collecting and processing personal data, are required to obtain free, informed, and unconditional consent from individuals before processing their data.
Consent requests must be communicated in clear and plain language, and the withdrawal process should be as easy as giving consent.
Data fiduciaries must inform individuals about the data being collected and the purpose of collecting it.
Data can be processed until an individual withdraws consent.
Data can be processed without consent in certain cases, such as providing benefits and services, or complying with legal obligations.Data Protection Obligations:
Data fiduciaries must implement reasonable security measures to prevent data breaches and inform individuals in case of a breach.
Data must be deleted when its purpose has been fulfilled or consent is withdrawn.
Significant data fiduciaries must appoint a Data Protection Officer and an independent data auditor for compliance assessment.
Consent of parents or legal guardians is required before processing data of children.
The government can set an age limit above which parental consent is not required for children's data processing.Rights and Responsibilities of Data Principals (Individuals)
Individuals have the right to access the personal data collected about them and know with whom it has been shared.
Individuals can request the deletion, correction, or updating of their personal data.
A grievance redressal mechanism should be provided by data fiduciaries for individuals.
Individuals must provide authentic personal information and not withhold material information or impersonate others.Exemptions
The government can restrict the transfer of personal data to certain countries for security and sovereignty reasons.
Government entities can be exempt from certain provisions in the interest of national security and public order.
Certain classes of fiduciaries, including startups, may be exempt from complying with specific provisions.Data Protection Board of India
A Data Protection Board will be established, comprising a chairperson and members nominated by the government.
The board has the power to direct remedial actions, inquire, and impose penalties for data breaches or non-compliance.
Decisions of the board can be appealed in the Telecom Disputes Settlement and Appellate Tribunal (TDSAT) within 60 days.Additional Powers of the Central Government
The central government can order the blocking of a data fiduciary after a hearing, based on the board's recommendation.
The government can require the board and relevant parties to provide information for the act's purposes.Changes from the Draft of November 2022
The government now notifies countries where data cannot be transferred instead of where it can be transferred.
No consent is required for data fiduciaries to transfer data to another entity for processing.
The government can exempt specific classes of fiduciaries, including startups, from compliance.
The central government may exempt data fiduciaries from seeking parental consent if data processing for children is verifiably safe.
New provisions allow the central government to block data fiduciaries and seek information.
Immunity from legal proceedings is extended to the central government, the board, its chairperson, and members.
Decisions of the board are now appealable before TDSAT.
In terms of penalties, Section 25 of the draft from November 2022 allowed for a cap of Rs. 500 crores on penalty for "each instance". The final version being tabled in Parliament has removed this cap, and this could potentially allow for higher penalties.First Published: Aug 2, 2023 3:52 PM IST
