Digital Protection Data Protection Bill, 2023 (DPDP Bill,2023)
- Need of a Personal Data Protection Law
- Some challenges in setting up an effective data protection regime
- Key Provisions
Need of a Personal Data Protection Law
i. National Security: Unauthorized leaks, hacking, cyber-crimes, and frauds may negatively impact India’s national security.
ii. Preventing Misuse of Data: Misuse of data has become rampant for commercial and political activities: e.g. Cambridge Analytica
iii. Protecting Fundamental Rights of Citizens: Ensuring Right to Privacy which is a fundamental right (KS Puttaswamy judgement)
- Increased digital penetration -> increase in personal data breaches from major service
iv. Strengthening of bargaining powers of Data Principals who generally have unequal bargaining powers with respect to data fiduciaries and a law is needed for empowering them.
v. Current data governance provisions have been ineffective in protecting users data.
- Presently, IT Act 2000 and some other sector regulations govern how different agencies collect and process user’s data. However, these regimes fall short of providing effective protection to users and their personal data.
- Under IT Act, the extant protection is premised on privacy being a statutory right, rather than a fundamental right.
- It emphasizes on data security, but doesn’t emphasize data privacy enough.
- It has limited understanding of the kinds of data to be protected.
- It places scant obligations on the data fiduciaries which, moreover, can be overridden by contract/user consent and;
- The regime is not applicable on government agencies and leaves a large vacuum for data protection as government itself collects and processes large amount of
- Finally, the current regimen seems to be completely inadequate against the new technologies of data collection and processing which have emerged.
vi. Absence of Institutional Framework for data privacy and security. For e.g. there is a lack of independent supervisory authority such as privacy commissioner that individuals may approach in case of non compliance.
vii. There is also a need to regulate surveillance system to ensure there is a balance between government’s need of surveillance and citizen’s right to privacy.
viii. Right to Forget is increasingly being considered an integral part of right to privacy, but this is not available in India yet.
Some challenges in setting up an effective data protection regime:
i. Balancing Rights of Data Principals and need of data fiduciaries to process data.
ii. Balancing Right to Privacy of data principals and reasonable exceptions need for government.
iii. Due to fast changing technologies we need law which should be future proof, but at the same time it should not be very bulky and unduly detailed.
Therefore, government has been working on a Data protection bill since 2017 and a new Bill, the Digital Personal Data Protection Bill 2023 has been passed in both Lok Sabha and Rajya Sabha in Aug 2023
1. Personal Data is defined as any data about an individual who is identifiable by or in
relation to such data.
2. Processing has been defined as wholly or partially automated operation or set of
operations performed on digital personal data.
ii. Unlike the 2019 bill, this bill narrows the scope of the data protection regime to personal data protection.
- It will apply to the processing of digital personal data within India where such data is
collected online, or collected offline and is digitized. It will also apply to such processing outside India, if it is for offering goods and services in India.
iii. Consent: Personal Data may be processed only for a lawful purpose upon consent of an
- Consent may not be required for specified legitimate uses such as voluntary sharing of
data by the individual or processing by the state for permits, licenses, benefits and
iv. Special Protection to Children: The bill places three conditions on data processing entities for children’s data:
- Obtaining Verifiable consent; Not causing harm to children; and no tracking or
monitoring children or targeting ads to them.
v. Rights and Duties of Data Principal:
- Right to obtain information about processing, seek correction and erasure; Nominate
other person to exercise rights in the event of death or incapacity; grievance redressal.
- Duties include not registering false complaints; not furnishing false info or impersonate other person;
- Violation of duties will be punishable.
vi. Obligation of Data Fiduciaries: Data Fiduciaries are required to maintain the accuracy of data, keep data secure, and delete data once its purpose has been met; inform data principal and data protection board in case of a breach.
vii. Concession to Cross Border Data flow: The bill allows transfer of personal data outside India, except to countries restricted by the Central government through notification.
viii. Exemptions: Central government may exempt government agencies from the provisions in the interest of security of state, public order, and prevention of offences.
- Personal data which is processed for research, archiving, or statistical purpose will also
be exempted under clause 17(2)(b).
ix. Data Protection Board of India – To be established by central government to adjudicate on non-compliance with the provision of the bill.
- The members will be appointed for a period of 2 years and can be reappointed.
- Amendment to IT Act, 2000 to remove clause for obligation on corporates to award
damages to affect persons in case of negligent handling of sensitive data.
- Note: Section 43A of the IT Act, 2000 imposes an obligation on corporates to award damages to affected persons in case of negligent handling of their sensitive data. Clause 44(2) of the bill aims to exclude the application of section 43A, thereby rendering an individual who has suffered breach of their data without any relief.
x. Amendment to RTI Act, 2005 to protect the personal information from disclosure.
- Section 44(3) of the bill amends section 8(1)(j) of the RTI Act, which will have the effect of totally exempting personal information from disclosure.
- Right to Privacy (no use without consent, obligations on data fiduciary to secure data)
- Ease of doing business – concession on cross border data flow
- Priority to security, public order etc.
- Institutional Framework – to ensure data protection in the form of Data Protection Board.
i. Exemptions to government agencies on various grounds may lead to unchecked processing of data leading to adverse implication for privacy of individuals, which has been recognized as fundamental rights.
- Parliamentary Standing committee had recommended that order should specify a
procedure, which is fair, just and reasonable. But, the bill doesn’t require any procedure of safeguard to be specified.
ii. No differentiation between Personal Data and Sensitive Personal Data – Thus there is a
negation of elevated level of protection that should be available to sensitive personal data.
iii. No regulation of harm arising from processing of Data: The previous bills had defined various harms which may arising from processing of personal data including mental injury, identity theft, financial loss etc. But, this is missing in the current bill.
iv. Right of Data Portability and Right to be forgotten is missing in the bill
- The Joint Parliamentary Committee, (which examined the 2019 bill) has recommended
retaining of right to data portability and right to be forgotten. General Data Protection
Regulations (GDPR) also recognizes these rights
v. Cross border data flow may also lead to violation of fundamental rights of citizens if protection is not available in the country where data has been transferred.
vi. Independence/Autonomy of Data Protection Board of India may be affected by short term of the members and scope of reappointment.
vii. Weakening of RTI regime: RTI activists have expressed concerns that the Bill undermines the democratic essence by depriving citizens of the valuable RTI.
In its attempt to balance national security, public order, ease of doing business, global diplomacy and cross-border cooperation, technology velocity, and data volumes, the DPDP Bill, 2023 does a fine balancing act. If some limitations discussed above are remedied, the bill can be global digital personal data protection laws’ fore-runner.
- Discuss the key challenges of the present personal data protection regime in India. How does the Digital Personal Data Protection Bill, 2023 remedy some of these challenges [15 marks, 250 words]
- Critically analyze the provisions of the Digital Personal Data Protection Bill, 2023 in their ability in ensuring Fundamental Right to Privacy to citizens of the country [10 marks, 150 words].
- The Digital Personal Data Protection Bill, 2023 fails to confront India’s growth into a surveillance society. Discuss [10 marks, 150 words]
- ‘Data protection law is crucial not only for securing fundamental rights of citizens, but also for National Security and Economic Security’ Elaborate [10 marks, 150 words]