The Union Cabinet approved the draft of the Digital Personal Data Protection (DPDP) Bill 2023 on July 5, 2023. As per officials, the bill is likely to be tabled during the upcoming monsoon session of Parliament.
The draft DPDP Bill 2023 was finalised after careful consideration of the issues raised during discussions and comments. According to the draft, the goal of this Act is to allow for the processing of digital personal data in a way that recognises both individuals’ right to privacy and the necessity to treat personal data for authorised purposes.
The government stated that the complete range of principles was actively reviewed and discussed throughout the preparation of the Personal Data Protection Bill in 2019. These include, among other things, individual rights, the duties of entities processing personal data, and the legal framework.
The proposed Bill’s fundamental premise is that organisations must legally use personal data, be fair to the individuals involved, and be transparent.
The second principle of purpose limitation is that personal data be used for the purposes for which it was collected. The third principle of data minimisation is that only those items of personal data required for attaining a specific purpose must be collected.
Among others, personal data should be limited to such duration as is necessary for the stated purpose for which it was collected, and reasonable safeguards should be taken to ensure that there is no unauthorised collection or processing of personal data.
Reacting to the big breaking, the Leader of the IP, Technology, Media and Telecom Practice at Nishith Desai Associates, Gowree Gokhale said, “DPDP Bill is a much-awaited legislation. The last version of the Bill was much simpler form than the earlier versions. Various industries had given feedback on several aspects e.g. cross border transfer, handling of children’s data, deemed consent provisions, and the powers of the board in levying penalties.”
“Hopefully, the government has addressed industry concerns in the next version. The government has been given rule-making power in several areas. The industry will need to work closely with the government so that the rules are simple and implementable, especially for the start-up ecosystem,” she added.
In December 2019, the Centre presented the Personal Data Protection Bill 2019 to Parliament. The Joint Committee of Parliament received the Bill for review. Following discussions, the Joint Committee gave the Speaker a report. The Bill was dropped in August 2022 as a result of comments from stakeholders and several agencies.
A public consultation on a new draft bill, the DPDP Bill 2022, was launched by the government on November 18, 2022. On this subject, an in-depth consultation was undertaken.
Public opinions totalling 21,666 were received, and 46 sector groups, organisations, and industry bodies were consulted throughout the process. 38 ministries and departments of the Indian government also provided comments.
Six different sorts of sanctions for non-businesses to firms were proposed in the reintroduced Draft DPDP Bill 2022. In the draft law that was released for public discussion, a fine of up to Rs 250 crore is being suggested as a deterrent to personal data breaches.
Additionally, a fine of up to Rs 200 crore may be imposed for failing to notify the Board and the affected Data Principals in the event of a personal data breach and for failing to comply with specific duties relating to Children.
Significant Data Fiduciaries may be subject to fines of Rs 150 crore and Rs 10 crore, respectively, for failing to fulfil extra requirements, under Sections 11 and 16 of the Act.
Last but not least, violations of this Act’s provisions other than those stated in (1) through (5) and any rules enacted under it could result in fines of up to Rs 50 crore.