LS passes Digital Personal Data Protection Bill, prescribes up to Rs 250cr for data breach

The Lok Sabha on Monday passed the Digital Personal Data Protection Bill, 2023 with a “voice vote” amid protests from the opposition parties who alleged that the bill violated citizens' Right to Privacy. It is likely to be tabled in Rajya Sabha soon, where the ruling coalition is short of the majority mark. 

The Bill seeks to ease data storage, processing and transfer norms for government and private companies including BigTech firms as well as local firms seeking growth abroad. Once it becomes law, it will ease data flows and reduce compliance burdens for tech giants like Google and Meta which have stored the personal data of millions of Indians. It allows companies to export data to any country except those specified by the government. 

The bill proposes a maximum penalty of Rs 250 crore and a minimum of Rs 50 crore on entities violating the norms. It also states that if an entity is penalized on more than two instances, the central government– after hearing the entity – can decide to block their platform in the country. 

Currently, India does not have a standalone law on data protection.  Use of personal data is regulated under the Information Technology (IT) Act, 2000. The opposition, which has expressed concerns over the legislation, has been demanding that the bill be sent to a parliamentary panel for further deliberations.

Personal data in digital advertising 

The Bill, whose original version was withdrawn last November after heavy criticism, has come at a time when consumers are increasingly becoming aware of the safety of their personal data and governments across the world have geared up to ensure citizens’ privacy. Personal data is information that relates to an identified or identifiable individual. 

Businesses as well as government entities process personal data for delivery of goods and services.  Processing of personal data allows understanding preferences of individuals, which may be useful for customisation, targeted advertising, and developing recommendations. 

Unchecked processing may have adverse implications for the privacy of individuals, which has been recognised as a fundamental right. It may subject individuals to harm such as financial loss, loss of reputation, and profiling.

The Bill addresses two key long-standing demands of the tech industry– by allowing relaxations around the age of consent for children, and by significantly easing cross-border data flows. 

The Bill gives powers to the central government to prescribe a lower age of consent than 18 years for accessing Internet services without parental consent if the platform they are using can process their data in a “verifiably safe manner”. This would help the edtech and health sector among other things.

Exemptions for the Government

The Bill offers sweeping exemptions to the Centre. The governments can process personal data for the provision of benefit, service, license, permit, or certificate without citizens’ consent.  It specifically allows use of data processed for one of these purposes for another.  It also allows the use of personal data already available with the State for any of these purposes.  

“Bill removes the purpose limitation that ensures that data is collected for specific purposes, and should be used only for that purpose. Rather, it gives wide exemptions to the government. That means it will not apply with respect to the processing of personal data when notified by “instrumentality of the state as the central government may notify",” says an expert. 

These could be in cases related to the sovereignty and integrity of the country, security, friendly relations with foreign states, maintenance of public order or preventing incitement to any cognisable offense relating to any of these. Some MPs allege that the “Bill creates a good framework for surveillance of citizens.”

“If there is a natural disaster like an earthquake, will the government have time to seek consent for processing their data or have to act quickly to ensure their safety? If the police are conducting an investigation to catch an offender, should their consent be taken,” Vaishnaw stated, responding to criticism.  

He added that the European Union’s General Data Protection Regulation (GDPR) has 16 exemptions, but India’s Bill has four exemptions.

Key Features

Applicability:  The Bill applies to the processing of digital personal data within India where such data is: (i) collected online, or (ii) collected offline and is digitised.  It will also apply to the processing of personal data outside India if it is for offering goods or services in India. 

Consent:  Personal data may be processed only for a lawful purpose after obtaining the consent of the individual.  A notice must be given before seeking consent.  The notice should contain details about the personal data to be collected and the purpose of processing.  Consent may be withdrawn at any point in time. 

No Consent for legitimate use: Consent will not be required for ‘legitimate uses’ including: (i) specified purpose for which data has been provided by an individual voluntarily, (ii) provision of benefit or service by the government, (iii) medical emergency, and (iv) employment.  For individuals below 18 years of age, consent will be provided by the parent or the legal guardian. 

Rights and duties of data principal:  An individual whose data is being processed (data principal), will have the right to: (i) obtain information about processing, (ii) seek correction and erasure of personal data, (iii) nominate another person to exercise rights in the event of death or incapacity, and (iv) grievance redressal.  

Rs 10,000 penalty for false complaint: Users must not: (i) register a false or frivolous complaint, and (ii) furnish any false particulars or impersonate another person in specified cases.  Violation of duties will be punishable with a penalty of up to Rs 10,000.

Obligations of data fiduciaries:  The entity determining the purpose and means of processing, (data fiduciary), must: (i) make reasonable efforts to ensure the accuracy and completeness of data, (ii) build reasonable security safeguards to prevent a data breach, (iii) inform the Data Protection Board of India and affected persons in the event of a breach, and (iv) erase personal data as soon as the purpose has been met and retention is not necessary for legal purposes (storage limitation).  In case of government entities, storage limitation and the right of the data principal to be erased will not apply. 

Transfer of personal data outside India:  The Bill allows transfer of personal data outside India, except to countries restricted by the central government through notification.  

Data Protection Board of India: The central government will establish the Data Protection Board of India to monitor compliance and impose penalties and hearing grievances made by affected persons.  Board members will be appointed for two years and will be eligible for re-appointment. The central government will prescribe details such as the number of members of the Board and the selection process.  

The decisions taken by the data protection board can be appealed before the Telecom Disputes Settlement and Appellate Tribunal (TDSAT), which is led by a judicial member.