With the Passage of Digital Data Protection Bill 2023 in the lower house (Loksabha) of Indian Parliament, a lot of furor and rumbling has started. However, it is important to analyse the Bill and understand the outcome from technical perspective.
Digital Personal Data Protection Bill- 2023 (“The Bill”) is introduced as a full fledged law to oversee digital processing of “Personal Data” of Indian. The Bill one passed in the upper house (Rajya Sabha) and Signed by the President of India will replace existing data protection laws, largely enforced via Section 43A of the Information Technology Act, 2000 (Amendment Act 2008).
It is interesting enough that it would then put India in the League of Nations that have Full Fledged Data Privacy and Protection Law along side the European Union (GDPR), Brazil (General Data Protection Law), Canada (PIPEDA), Australia (multiple laws), Argentina (Personal Data Protection Act), Israel (multiple laws), New Zealand (multiple laws), Singapore (Personal Data Protection Act) and few more.
The Bill will establish a comprehensive framework for the protection of personal data. This framework will include as well as extend its jurisdiction to personal data collected within India (whether online or offline). Regulations of the Bill are also enforceable if the data processing occurs outside, but involve offering goods and services to the Resident Indian Citizens.
Personal Data has been defined as Any Data that can help identify an individual ‘by or in relation’ to such data. This is in line with the other geographical laws where the Personal Data is identified as any data that can Personally identify a named individual and include data like Name in combination with Dat of Birth, Demographic details, phone number and other specific information like Tax ID (PAN in case of India), Social Security Number (Aadhar), Bank Account details etc.
On the other hand, processing has been defined as wholly or partially automated operation (collected offline but digitised), and also includes operations performed on data including collection, storage, use, and sharing.
Apart from local processing of data, the bill also covers aspects of extraterritorial user data processing if goods or services are to be sold in India.
Overall, with inclusion of Consent, Reporting and strict Data Security Norms, it is clear that The Bill is in interest of the Data Subjects (Citizens of India) and the Indian Economy. One the Bill becomes an Act, it will help ensure that the trade blocks that depend on Standard Contractual Clauses for GDPR alignment will not be the showstopper for Data Processing Company in India as they will need to be more diligent and will have to ensure they align to the strict Security measures required by the Bill.
Key highlights of this bill include:
1. Data Security: Entities dealing with user data are required to ensure the protection of personal data, even if it is stored with third-party data processors.
2. Data Breach Notification: In the event of a data breach, companies are mandated to promptly inform the Data Protection Board (DPB) and affected users.
3. Special Provisions for Children and Physically Disabled Persons: Processing data of minors and individuals with guardians must be done only with the consent of guardians.
4. Appointment of Data Protection Officer (DPO): Firms are required to appoint a Data Protection Officer and share their contact details with users.
5. Government Authority over Data Transfer: The Bill empowers the central government to regulate the transfer of personal data to foreign countries or territories beyond India.
6. Appeals Mechanism: Appeals against DPB decisions will be adjudicated by the Telecom Disputes Settlement and Appellate Tribunal.
7. DPB’s Authority: The DPB has the authority to summon and examine individuals under oath, inspect documents of companies handling personal data, and recommend blocking access to intermediaries that repeatedly breach the bill’s provisions.
8. Penalties: The DPB will assess penalties based on the nature and severity of the breach, with potential fines of up to Rs 250 crore (or Rs. 25 Billion) for instances of data breaches, failure to protect personal data, or failure to inform the DPB and users of a breach.
Credits: With Inputs from https://t.me/DGPIndia
