2. Character Arc: tracing
past developments
• Unchecked processing of personal data may have adverse implications for the
privacy of persons, which has been recognized as a fundamental right (Justice
K.S. Puttaswamy (Retd) vs. Union of India),
• In 2017, the central government constituted a Committee of Experts on Data
Protection, chaired by Justice B. N. Srikrishna, to examine issues relating to data
protection in the country. The Committee submitted its report in July 2018.
Based on the recommendations of the Committee, the Personal Data Protection
Bill, 2019 was introduced in Lok Sabha in December 2019. The Bill was referred
to a Joint Parliamentary Committee which submitted its report in December 2021
which ultimately took form of Digital Personal Data Protection Bill 2022.
• In August 2022, the Bill was withdrawn from Parliament. In November 2022, a
Draft Bill was released for public consultation. In August 2023, the Digital
Personal Data Protection Bill, 2023 was introduced in Parliament.
3. Important Definitions
• “Data” means a representation of information, facts, concepts, opinions or instructions in a
manner suitable for communication, interpretation or processing by human beings or by
automated means;
• “personal data” means any data about an individual who is identifiable by or in relation to
such data
• “Data Fiduciary” means any person who alone or in conjunction with other persons
determines the purpose and means of processing of personal data;
• “Data Principal” means the individual to whom the personal data relates and where such
individual is—
• a child, includes the parents or lawful guardian of such a child;
• a person with disability, includes her lawful guardian, acting on her behalf;
• “Data Processor” means any person who processes personal data on behalf of a Data
Fiduciary;
• “Processing” has been defined as wholly or partially automated operation or set of
operations performed on digital personal data, and include operations such as collection,
recording, organisation, structuring, storage, adaptation retrieval, use, alignment or
combination, indexing, sharing, disclosure by transmission, dissemination or otherwise
making available, restriction, erasure or destruction’.
4. Application of
the Bill
• Applicability: The Bill applies to the
processing of digital personal data within
India where such data is: (i) collected online,
or (ii) collected offline and is digitized. It will
also apply to the processing of personal data
outside India if it is for offering goods or
services in India.
• The Bill does not apply to: not apply to— (i)
personal data processed by an individual for
any personal or domestic purpose; and (ii)
personal data that is made or caused to be
made publicly available by—
(A)the Data Principal
(B)any other person who is under an
obligation under any law for the
time being in force in India to make
such personal data publicly
available.
5. Consent
• Consent: Personal data may be processed only for a lawful
purpose after obtaining the consent of the individual. A notice
must be given before seeking consent. The notice should contain
details about the personal data to be collected and the purpose of
processing.
• Consent may be withdrawn at any point in time and the details of
the manner for withdrawal shall be provided in the notice itself .
• Consent will not be required for ‘legitimate uses’ including: (i)
specified purpose for which data has been provided by
an individual voluntarily, (ii) provision of benefit or
service by the government, (iii) medical emergency, and
(iv) employment.
• For individuals below 18 years of age, consent will be provided by
the parent or the legal guardian.
6. Obligations of
data fiduciaries
• The entity determining the purpose and means
of processing, (data fiduciary), must:
• (i) make reasonable efforts to ensure the
accuracy and completeness of data,
• (ii) build reasonable security safeguards to
prevent a data breach,
• (iii) inform the Data Protection Board of
India and affected persons in the event of a
breach, and
• (iv) erase personal data as soon as the
purpose has been met and retention is not
necessary for legal purposes (storage
limitation). In case of government entities,
storage limitation and the right of the data
principal to erasure will not apply.
7. SDFs and their
obligations
• The government may notify ‘significant data
fiduciaries’ (SDFs) by assessing factors like
volume and sensitivity of the personal data
processed, risk to the rights of the data
principals, potential impact on the
sovereignty and integrity of India, among
other things.
• SDFs must:
(i) appoint a data protection officer (DPO)
based in India – who will be responsible to
the board of directors of the SDF;
(ii) appoint an independent data auditor
to evaluate the SDF’s compliance with the
Bill;
(iii) undertake data protection impact
assessments (DPIA) and periodic audits,
as may be prescribed under rules
8. Rights and Duties
of Data Principal
• An individual whose data is being processed (data principal), will have the
right to: (i) obtain information about processing, (ii) seek correction and erasure
of personal data, (iii) nominate another person to exercise rights in the event of
death or incapacity, and (iv) grievance redressal.
• Data principals will have certain duties. They must not: (i) register a false or
frivolous complaint, and (ii) furnish any false particulars or impersonate another
person in specified cases. Violation of duties will be punishable with a penalty of
up to Rs 10,000.
9. Transfer of
Personal Data
Abroad
• Transfer of personal data outside
India: The Bill allows transfer of
personal data outside India, except
to countries restricted by the central
government through notification
10. Exemptions
• Rights of the data principal and obligations of data fiduciaries (except data security) will not apply in specified cases. These
include:
• (a) Processing of personal data is allowed if it is necessary to enforce a legal right or claim.
• (b) Processing of personal data by a court, tribunal, or other body in India is allowed if it is necessary for the
performance of a judicial, quasi-judicial, regulatory, or supervisory function.
• (c) Processing of personal data is allowed if it is necessary to prevent, detect, investigate, or prosecute an offense or
contravention of any law in India.
• (d) Processing of personal data of Data Principals (DPs) who are not in India is allowed if it is pursuant to a contract
entered into with any person outside India by any person based in India.
• (e) Processing of personal data is allowed if it is necessary for a scheme of compromise or arrangement or merger or
amalgamation of two or more companies, or a reconstruction by way of demerger or otherwise of a company, or
transfer of undertaking of one or more company to another company, or involving division of one or more
companies, approved by a court, tribunal, or other authority competent to do so by any law in force.
• (f) Processing of personal data is allowed for the purpose of ascertaining the financial information and assets and
liabilities of any person who has defaulted in payment due on account of a loan or advance taken from a financial
institution, subject to such processing being in accordance with the provisions regarding disclosure of information or
data in any other law in force.
• The central government may, by notification, exempt certain activities from the application of the entire Bill.
These include:
• processing by government entities in the interest of the security of the state and public order, and
• research, archiving, or statistical purposes
11. Data Protection
Board of India
• The central government will establish the
Data Protection Board of India. Key functions
of the Board include:
monitoring compliance and imposing
penalties,
directing data fiduciaries to take necessary
measures in the event of a data breach, and
hearing grievances made by affected
persons.
• Board members will be appointed for two
years and will be eligible for re-appointment.
• The central government will prescribe details
such as the number of members of the Board
and the selection process.
12. Penalty • The schedule to the Bill specifies penalties for
various offences such as up to: (i) Rs 200 crore
for non-fulfilment of obligations for children,
and (ii) Rs 250 crore for failure to take security
measures to prevent data breaches.
• Penalties will be imposed by the Data
Protection Board after conducting an inquiry.