The Rajya Sabha on August 9 passed the Digital Personal Data Protection Bill (DPDPB), 2023 by voice vote. The Lok Sabha had passed the bill on August 7. The bill will now become law after president Draupadi Murmu grants her assent. From hefty penalties ranging from a minimum of Rs 50 crore to a maximum of Rs 250 crore on social media platforms for violating rules to enabling digital markets to grow more responsibly while safeguarding citizens’ data, the Bill comes after six years of the Supreme Court declaring “Right to Privacy” as a fundamental right has provisions to curb the misuse of individuals’ data by online platforms.
The passing of the Bill by the Parliament stands as a crucial and long-awaited piece of legislation which upholds an individual’s right to safeguard their digital privacy. Companies are required to appoint a Data Protection Officer and share their contact details with the users. Minister of State for Electronics and IT, Rajeev Chandrasekhar, tweeted that this important step will protect citizens’ rights. He also recalled his engagement on the issue of privacy since 2010 which led him to file a case in the Supreme Court as a petitioner that fought and succeeded in order that privacy is a fundamental right.
The data protection bill envisages the creation of a Data Protection Board of India. The bill is set to establish an international benchmark for data protection frameworks. While online safety for institutions have been prioritised thus far, this bill will ensure safeguarding individuals in the digital world too. The Data Protection Bill will assess penalties based on the nature and severity of the breach, with potential fines of up to Rs 250 crore for instances of data breaches, failure to protect personal data, or failure to inform the Board and users of a breach.
The Bill will apply to the processing of digital personal data within India where such data is collected online or collected offline and is digitised. It will also apply to such processing outside the country, if it is for offering goods or services in India. Personal data may be processed only for a lawful purpose upon consent of an individual. Consent may not be required for specified legitimate uses such as voluntary sharing of data by the individual or processing by the state for permits, licences, benefits, and services. Data fiduciaries will be obligated to maintain the accuracy of data, keep data secure, and delete data once its purpose has been met.
The Bill grants individuals the right to obtain information, seek correction and erasure, and grievance redressal. The Centre may exempt government agencies from the application of provisions of the Bill in the interest of state security, public order, and prevention of offences. The Bill will enhance the privacy cognisance of Indian citizens by empowering them with their privacy rights through transformative accountability measures to be adopted by the enterprises. It also brings in the much-needed legal framework to foster trust in digital markets. On one hand, it protects the privacy of Indian digital citizens and on the other it enables digital markets to grow more responsibly.