WHAT’S NEW IN THE DIGITAL PERSONAL DATA PROTECTION BILL, 2023

CORPORATE LAW UPDATE

11th August 2023

Issue No.12/23-24

WHAT’S NEW IN THE DIGITAL PERSONAL DATA PROTECTION BILL, 2023

On 9th August 2023, the Rajya Sabha passed the Digital Personal Data Protection Bill, 2023 (“2023 Bill”) that had been introduced by the Ministry of Electronics & Information Technology and passed by the Lok Sabha previously on 7th August 2023.

The 2023 Bill aims to establish a framework for the processing of digital Personal Data in a manner that recognizes both the rights of the individuals to protect their Personal Data and the need to process such Personal Data for lawful purposes.

The 2023 Bill is also seen breaking barriers of gender norms by using the word “she” instead of “he” for the first time.

BACKGROUND

The 2023 Bill has been passed by both houses of parliament after a 6-year long journey following the landmark judgement of Justice K. S. Puttaswamy & Anr. vs. Union Of India & Ors. wherein the Supreme Court recognized the “Right to Privacy” as a fundamental right of Indian citizens, and the need for a comprehensive data protection regime in the aggressive digital age.

The 2023 Bill is preceded by the Digital Data Protection Bill, 2022 (“2022 Bill”), the Joint Parliamentary Committee’s Data Protection Bill, 2021 (“JPC Bill”) and the Personal Data Protection Bill, 2019 (“2019 Bill”). (For further information on the earlier legislation please refer to our previous update.)

CURRENT STANCE

The 2023 Bill applies only to digital Personal Data and ‘digitised’ Personal Data and removes any references to non-personal data. It also does not distinguish between Personal Data, sensitive personal data and critical personal data.

The 2023 Bill aims to (a) Introduce a Data protection law with minimum disruption while also ensuring necessary change in the way a Data Fiduciary processes Data; (b) Enhance the Ease of Living and the Ease of Doing Business in India; and (c) Enable India’s digital economy and its innovation ecosystem.

It introduces a set of fundamental principles such as (a) Lawfulness, Fairness & Transparency; (b) Purpose Limitation; (c) Data Minimization; (d) Accuracy; (e) Storage Limitation; (f) Integrity & Confidentiality; and (g) Accountability (collectively, “Principles“).

Outlined below are the key modifications and distinctions in the 2023 Bill from the earlier draft bills:

  1. Deletion of “harm”:

The 2023 Bill has eliminated the term “harm” as defined in the 2022 Bill in determining loss that may be caused to a Data Principal under the 2023 Bill. The 2023 Bill however now specifically links Data breach to losses such as loss of property, any interruption in supply of service, or any missed financial opportunities.

  1. No distinguishing between different categories Personal Data:

The 2023 Bill simplifies the definition of Personal Data by defining it as “any data about an individual who is identifiable,” thus removing sub-categories like ‘Sensitive’ and ‘Critical’ as were in earlier legislations.

  1. Revisions to scope and applicability:

The 2023 Bill applies to digital Personal Data, both in digital form and digitized non-digital data, thereby doing away with the ambiguity that was present in the 2022 Bill’s use of online data.

  1. Replacement of the concept of “Deemed Consent” with “Certain Legitimate Uses”:

The 2023 Bill replaces the concept of “Deemed Consent” with “Legitimate Uses.” It states that where a Data Principal voluntarily shared Data for specific purposes without refusal or indication that she does not consent, the processing of Data in that scenario would be legitimately used.

  1. Obligations of a Data Fiduciary:

The 2023 Bill introduces stringent duties for Data Fiduciaries, including maintaining accurate, complete, and consistent Personal Data, erasing of Data collected and stored upon withdrawal of consent from the Data Principal or upon the completion of purpose for which the Data was collected. It also obligates the reporting of breaches to the Data Protection Board and the affected Data Principals. Unlike the 2022 Bill, the 2023 Bill directly places the primary responsibility for security safeguards and reporting of breaches upon Data Fiduciaries.

  1. Transfer of Personal Data outside India:

The 2023 Bill now permits cross-border transfers to all countries except those as and when notified by the Central Government. It also clarifies that nothing in the 2023 Bill shall restrict another law in place, where that law provides for a higher degree of restriction or protection for transfer of Personal Data outside the country. The 2022 Bill on the other hand only permitted transfer of Personal Data to countries that were notified by the Central Government.

  1. Power given to the Central Government:

The 2023 Bill has given the Central Government powers that have been widely discussed and dissented in the parliamentary debate wherein the opposition has deemed the 2023 Bill to have “excessive centralization of powers”. These powers allow the Central Government to demand information from the Data Protection Board, Data Fiduciaries, and intermediaries, it allows the Central Government under Section 37 to widen censorship of Data published online by blocking content on the internet and further, can also block services of a Data Fiduciary on multiple instances of penalties to ensure general public interest.

  1. Amendment to the Information Technology Act, 2000 (“IT Act”):

Section 43A of the IT Act, that provides for the penalty in any negligence in data handling, is omitted for similarity with the 2023 Bill.

All capitalized terms used but not defined herein shall have the same meaning as ascribed in the 2023 Bill.

A copy of the 2023 Bill may be accessed here.

 

Disclaimer: This newsletter is for general information only and not intended for any solicitation. Views expressed in this newsletter are as on date and not necessarily of V Law Partners (“VLaw”). While reasonable efforts have been taken to provide correct information, VLaw cannot and does not warrant or guarantee the accuracy of the information provided in the newsletter. Readers are advised not to rely solely on this information when making any decision.

Suggestions: If you do not wish to receive our newsletters or have any comments or suggestions for us, please write to us at – admin@vlawpartners.com