Industry leaders on Wednesday hailed the passing of the Digital Protection Data Protection (DPDP) Bill 2023 by the Parliament, saying India is rapidly digitising and hence the bill stands as a crucial and long-awaited piece of legislation which upholds an individual’s right to safeguard their digital privacy.
Minister of State for Electronics and IT, Rajeev Chandrasekhar, tweeted that he feels deeply privileged at being given an opportunity by Prime Minister Narendra Modi “to help achieve this important step to protect our citizens rights and support innovation economy and governance”.
“My engagement on the issue of privacy started in 2010 and led to me filing a case in the Supreme Court as a petitioner that fought and succeeded in order that Privacy is a fundamental right,” he said.
“More than a decade on, India and Indians under PM Modi have a global standard Digital Personal Data Protection law,” the minister posted.
Union Telecom Minister Ashwini Vaishnaw moved the Digital Personal Data Protection Bill, 2023 for consideration and passing in the Rajya Sabha after the Lok Sabha had already passed it.
From hefty penalties ranging from a minimum of Rs 50 crore to a maximum of Rs 250 crore on social media platforms for violating rules to enabling digital markets to grow more responsibly while safeguarding citizens’ data, the data protection bill envisages the creation of a Data Protection Board of India.
Ruchir Shukla, MD, Safehouse Tech said that the bill is set to establish an international benchmark for data protection frameworks. “While online safety for institutions have been prioritised thus far, this bill will ensure safeguarding individuals in the digital world too,” Shukla said.
The Data Protection Bill will assess penalties based on the nature and severity of the breach, with potential fines of up to Rs 250 crore for instances of data breaches, failure to protect personal data, or failure to inform the Board and users of a breach.
The Bill will apply to the processing of digital personal data within India where such data is collected online, or collected offline and is digitised. It will also apply to such processing outside the country, if it is for offering goods or services in India.
Personal data may be processed only for a lawful purpose upon consent of an individual. Consent may not be required for specified legitimate uses such as voluntary sharing of data by the individual or processing by the state for permits, licences, benefits, and services.
Data fiduciaries will be obligated to maintain the accuracy of data, keep data secure, and delete data once its purpose has been met.
The Bill grants certain rights to individuals, including the right to obtain information, seek correction and erasure, and grievance redressal.
The Centre may exempt government agencies from the application of provisions of the Bill in the interest of specified grounds such as security of the state, public order, and prevention of offences.
According to Manish Sehgal, Partner, Risk Advisory, Deloitte India, the Bill will enhance the privacy cognisance of Indian citizens by empowering them with their privacy rights through transformative accountability measures to be adopted by the enterprises. The Bill brings in the much-needed legal framework to foster trust in digital markets. On one hand, it protects the privacy of Indian digital citizens and on the other, it enables digital markets to grow more responsibly.
In the event of a data breach, companies are mandated to promptly inform the Data Protection Board (DPB) and the affected users. Processing data of minors and individuals with guardians must be done only with the consent of guardians, according to the Bill.
Companies are required to appoint a Data Protection Officer and share their contact details with the users.