In August 2023, the Digital Data Protection Bill (DPDP), 2023 has been tabled in the Lok Sabha. The first draft of the Bill was composed way back in 2018. This is the fourth reiteration. The Bill provides a legislative framework to protect the personal data of the data principals ( owners of data), and spells out their rights and duties. At the same time, the Bill also spells out the rights and duties of data fiduciaries (who collect the personal data), of data processors (who process the data), and of consent managers ( who act as intermediaries between data principals and fiduciaries).
We all know that the privacy (of personal data) is a fundamental right and digital data includes personal data. The draft was not for public perusal.
There is no insistence on local data storage. Social media has been declared as data fiduciaries. The data is to be collected for specific purposes with informed consent. It provides for correction or updating or erasing of personal data when the specific purpose for which it was collected is served, or when the principal withdraws consent.
Breaches of personal data must be notified immediately. Or else, the fiduciary is liable to fine.
Significant data fiduciaries collect volumes of sensitive data. They will have appoint independent data protection auditors based in India who will conduct data audits.
The central government and its instruments have been given right to collect data for broad purposes. It is an issue for concern.
The Bill proposes a Data Protection Boards (DPB) as the regulatory body, the members of which will be appointed by the Centre. Ideally, such a board should be independent. There will be an appellate tribunal to take up the cases when a person is aggrieved by an order/decision of the Board.
The onus of data breach will lie with the companies.
Startups will be exempt from the onerous provisions of the Bill, but are still subject to penalty for data breaches. The exemption for startups will be till the time they are developing a new product. On commercialisation of the product, they will be subject to provisions applicable to established firms.
The main aims of the Bill are data minimisation, purpose limitation and storage limitation. Data minimisation means entities can only collect what minimal is absolutely required. Purpose limitation means that data can be used only for the purpose for which it is collected. Storage limitation means once the services are delivered, the data must be deleted.
The government also gets power to block any intermediary or other firms in case of frequent data breaches and violations of the provisions of the Bill. The blockage will be on the recommendations of the DPB.
The government gets the right to exempt any agencies from the provisions of the Bill. This is a lean principle-based draft, an outcome of wide consultation (20000 submissions, dozens of discussions, balancing of various interests).
Some of its provisions are less prescriptive than standards in the EU’s GDPR. Big Tech firms face checks on monetisation of data.