Rajya Sabha passes Digital Personal Data Protection Bill

On Wednesday (9 August), the Rajya Sabha passed the Digital Personal Data Protection Bill (DPDPB) 2023 with a voice vote. The opposition had staged a walk over the Manipur issue. Passed by the Lok Sabha on 7 August, it will become a law after getting assent from President Droupadi Murmu.

The bill sets out requirements for firms collecting data online, with exceptions for the government and law enforcement agencies. It also lays down the obligations of entities handling and processing data, as well as the rights of individuals.

Rajya Sabha passed the Digital Personal Data Protection Bill, 2023 which seeks to set out requirements for firms collecting data online, with exceptions for the government and law enforcement agencies. Earlier, the Bill was passed by the Lok Sabha on August 7.

— ANI (@ANI) August 9, 2023

Speaking in the Rajya Sabha, Union Minister of Electronics and Information Technology (Meity) Ashwini Vaishnaw stated that the bill gives more power to individuals using digital services. He added that the bill has laid down several obligations on private as well as government entities in relation to collecting and processing the data of every citizen.

The Minister highlighted that the bill will grant four rights to Indian citizens and said, “Four rights have been given to the country’s citizens – Right to access information, Right to correction of personal data and right to eraser, Right to grievance redressal, and Right to nominate in case of death.”

Minister Vaishav also stated that the language of the bill has been kept simple so that even a common person can understand it and it was brought in the House after extensive public consultation.

The bill will protect the privacy of Indian citizens as there are provisions for imposing penalties of up to Rs 250 crore on entities that misuse or fail to protect the digital data of individuals. It applies to the processing of digital personal data within India where such data is collected online, or collected offline and is digitised.  It will also apply to such processing outside India, if it is for offering goods or services in India.

As per the bill, fines will be imposed for a range of offences, including up to Rs 200 crore for failing to meet obligations related to children and up to Rs 250 crore for neglecting security measures to prevent data breaches.

The underlying principles of this bill share similarities with those data protection laws enforced in other jurisdictions including the European Union’s regulation ‘General Data Protection Regulation’ (GDPR). These include lawfulness, fairness and transparency, purpose limitation, data minimisation, accuracy, storage limitation, integrity, confidentiality, and accountability. 

As per the requirement of the bill, the central government will establish a Data Protection Board of India. This board will monitor compliance and imposition of penalties. It will direct data fiduciaries to take necessary measures in the event of a data breach, and hear grievances made by affected persons.

The Bill will be applied within as well as outside the territory of India. It will be applied to the processing of digital personal data within the territory of India, irrespective of whether the personal data is collected in digital form or in non-digital form and digitised subsequently.

Similarly, it will be applied in case the digital personal data is processed outside the territory of India. This will happen if the processing of data is connected with any activity related to the offering of goods or services “to Data Principals within the territory of India.” Here, the Bill defines “Data Principal” as the individual to whom the personal data relates. 

As per the bill, a company can only process the personal data of a user only for certain “legitimate uses” and they will have to take consent for it. Here, “Personal data” is defined as “any data about an individual who is identifiable by or in relation to such data.”

Further, according to the bill, the central government can exempt government agencies from the application of provisions of the Bill. However, this can be done only on specified grounds such as the security of the state, public order, and prevention of offences.

Additionally, the Bill amends the Right to Information Act, of 2005 (RTI). It will remove the public interest exemptions on disclosing any personal information. 

Currently, the RTI Act allows all public authorities to disclose personal information, including officials’ salaries, only when it is in the public interest. But this bill will completely disallow disclosing any personal information.

Six years ago, the Supreme Court declared the ‘Right to Privacy’ as a fundamental right. Now, this bill has incorporated all the measures to prevent the misuse of users’ personal information by online platforms, marking a huge milestone for digital India.