Digital Personal Data Protection Act, 2023

Last updated

Digital Personal Data Protection Act, 2023
Emblem of India.svg
Parliament of India
  • An Act to provide for the processing of digital personal data in a manner that recognises both the right of individuals to protect their personal data and the need to process such personal data for lawful purposes and for matters connected therewith or incidental thereto.
Citation Act No. 22 of 2023
Territorial extent India
Passed byLok Sabha
Passed7 August 2023
Passed byRajya Sabha
Passed9 August 2023
Assented to by President of India
Assented to11 August 2023
Legislative history
First chamber: Lok Sabha
Bill citation Bill No. 113 of 2023
Introduced by Ashwini Vaishnaw Minister of Electronics and Information Technology, Minister of Communications, Minister of Railways
First reading 3 August 2023
Keywords
Consent, Data privacy, Data breach
Status: Not yet in force

The Digital Personal Data Protection Act, 2023 (also known as DPDP Act or DPDPA-2023) is an act of the Parliament of India to provide for the processing of digital personal data in a manner that recognises both the right of individuals to protect their personal data and the need to process such personal data for lawful purposes and for matters connected therewith or incidental thereto. [1] This is the first Act of the Parliament of India where "she/her" pronouns were used unlike the usual "he/him" pronouns. [2] [3]

Contents

Timeline

Background

Personal Data Protection Bill, 2019

The Ministry of Electronics and Information Technology set up a committee to study issues related to data protection. The committee was chaired by retired Supreme Court judge Justice B. N. Srikrishna. The committee submitted the draft version of Personal Data Protection in July 2018. [21] The report was later modified several times by the Government of India and, after receiving the approval of central cabinet, the draft legislation was tabled in the Parliament of India on 11 December 2019. [22]

As bill

The Bill aims to: [23]

to provide for protection of the privacy of individuals relating to their personal data, specify the flow and usage of personal data, create a relationship of trust between persons and entities processing the personal data, protect the fundamental rights of individuals whose personal data are processed, to create a framework for organisational and technical measures in processing of data, laying down norms for social media intermediary, cross-border transfer, accountability of entities processing personal data, remedies for unauthorised and harmful processing, and to establish a Data Protection Authority of India for the said purposes and for matters connected there with or incidental thereto.

It provided for extensive provisions around collection of consent, assessment of datasets, data flows and transfers of personal data, including to third countries and other aspects around anonymized and non-personal data. [24]

Criticism and withdrawal

The revised 2019 Bill was criticized by Justice B. N. Srikrishna, the drafter of the original Bill, as having the ability to turn India into an "Orwellian State". [lower-alpha 1] [25] In an interview with Economic Times, Srikrishna said that, "The government can at any time access private data or government agency data on grounds of sovereignty or public order. This has dangerous implications.” [25] [26]

The role of social media intermediaries is being regulated more tightly on several fronts. The Wikimedia Foundation is hoping that the PDP bill will prove the lesser evil compared with the Draft Information Technology [Intermediary Guidelines (Amendment) Rules] 2018. [27] [28]

Forbes India reports that "there are concerns that the Bill gives the government blanket powers to access citizens' data." [29]

The bill after being tabled was referred to the JPC which was chaired by Meenakshi Lekhi. After it received criticism from stakeholders, opposition and experts the bill was withdrawn from the Parliament of India on 3 August 2022. [30]

Digital Personal Data Protection Bill, 2023

Aim

Source: [31]

The Bill provides for the processing of digital personal data in a manner that recognizes both the rights of the individuals to protect their personal data and the need to process such personal data for lawful purposes and for matters connected therewith or incidental thereto.

The Digital Personal Data Protection Bill, 2023 is the draft version of the Digital Personal Data Protection Act, 2023, initially the government has released its the Digital Personal Data Protection Bill, 2022 on 18 November 2022 for public consultation till 2 January 2023 and approved the revised version of the earlier draft which was released for public consultation making it the Digital Personal Data Protection Bill, 2023. [32] [33]

Timeline, introduction and passage

  • On 18 November 2022, the Digital Personal Data Protection Bill, 2022 was released for public consultation, the deadline for receiving comments was 17 December 2022
  • On 17 December 2022, the Ministry of Electronics and Information Technology has extended the deadline for receiving public comments till 2 January 2023
  • On 5 July 2023, the cabinet has approved the Digital Personal Data Protection Bill, 2023 which is the revised version of the bill which was put up for public consulation earlier. [6]
  • On 3 August 2023, the revised version of the Digital Personal Data Protection Bill, 2022 which is the Digital Personal Data Protection Bill, 2023 was introduced by Ashwini Vaishnaw, Minister of Electronics and Information Technology in Lok Sabha.
  • On 7 August 2023, the bill was passed by Lok Sabha. [34] The bill was then introduced and passed in the upper house of the Indian Parliament Rajya Sabha on 9 August 2023. [35]
  • On 11 August 2023, Draupadi Murmu, President of India has given assent to the Digital Personal Data Protection Bill, 2023 which made it the Digital Personal Data Protection Act, 2023. [10] [11]

Overview

The Act protects digital personal data (that is, the data by which a person may be identified) by providing for the following [1]

Comparison with GDPR

The Digital Personal Data Protection Act, 2023 (DPDPA) and the European Union's General Data Protection Regulation (GDPR) share similar principles but differ in key aspects. The DPDPA-2023 applies only to digital personal data, while GDPR covers all forms of personal data. [36] Unlike GDPR, DPDPA-2023 does not distinguish between personal and sensitive personal data. [37] Both laws grant similar rights to individuals but differ in their approach to legal bases for data processing. [36]

Comparison of Digital Personal Data Protection Act, 2023 (DPDPA-2023) and General Data Protection Regulation (GDPR)
FeatureDigital Personal Data Protection Act, 2023 (DPDPA-2023)General Data Protection Regulation (GDPR)
ScopeRegulates digital personal data processing; includes extraterritorial application for offering goods/services in India.Covers all personal data, digital or otherwise; applies to any organization processing data of individuals within the EU, irrespective of location.
Type of DataLimited to digital personal data.Covers all personal data, including non-digital.
Legal Basis for ProcessingConsent required with some legitimate use cases (e.g., employment, legal obligations, emergencies). Does not include contractual necessity or legitimate interests.Consent required with explicit bases including legitimate interests, contractual necessity, legal obligations, etc.
Data Principal RightsRight to access, correction, erasure, grievance redressal. Unique rights: appoint another to exercise rights on data principal’s behalf in event of death/incapacity.Rights to be informed, access, rectification, erasure, restriction of processing, data portability, objection, not to be subject to automated decisions.
Cross-Border Data TransfersPermitted unless to jurisdictions restricted by Indian Government.Permitted based on adequacy decisions.

Data Protection Board of India

Under section 18 of the Digital Personal Data Protection Act, 2023, the Data Protection Board of India, an adjudicating body, will be established. [38] [39] [40]

The Minister of Electronics and Information Technology Ashwini Vaishnaw and the then MoS Rajeev Chandrasekhar stated in press that the Central government is setting up the Data Protection Board of India which will be an adjudicating body. It is a body that adjudicates the dispute between those whose personal data has been given to a platform and the platform which has in turn breached the obligations under the law. [38] [41] [42]

Rights and provisions

Exemptions

The Act has made exemptions [45] from the regulations related to the Act, they are:

Criticism

Non-applicability to offline personal data

The Act is only applicable to the data collected digitally and when offline data gets digitized. Not having the applicability on offline personal data was criticized as there is no framework on how such data is handled. [46]

See also

Notes

  1. Orwellian State is a term to denote draconian control of its people by a state as described in the novel ‘Nineteen Eighty Four’ by George Orwell.

Related Research Articles

<span class="mw-page-title-main">Data Protection Directive</span> EU directive on the processing of personal data

The Data Protection Directive, officially Directive 95/46/EC, enacted in October 1995, was a European Union directive which regulated the processing of personal data within the European Union (EU) and the free movement of such data. The Data Protection Directive was an important component of EU privacy and human rights law.

The right to privacy is an element of various legal traditions that intends to restrain governmental and private actions that threaten the privacy of individuals. Over 185 national constitutions mention the right to privacy. On December 10, 1948, the United Nations General Assembly adopted the Universal Declaration of Human Rights (UDHR); while the right to privacy does not appear in the document, many interpret this through Article 12, which states: "No one shall be subjected to arbitrary interference with their privacy, family, home or correspondence, nor to attacks upon his honor and reputation. Everyone has the right to the protection of the law against such interference or attacks."

<span class="mw-page-title-main">Information Commissioner's Office</span> Non-departmental public body

The Information Commissioner's Office (ICO) is a non-departmental public body which reports directly to the Parliament of the United Kingdom and is sponsored by the Department for Science, Innovation and Technology. It is the independent regulatory office dealing with the Data Protection Act 2018 and the General Data Protection Regulation, the Privacy and Electronic Communications Regulations 2003 across the UK; and the Freedom of Information Act 2000 and the Environmental Information Regulations 2004 in England, Wales and Northern Ireland and, to a limited extent, in Scotland. When they audit an organisation they use Symbiant's audit software.

Personal data, also known as personal information or personally identifiable information (PII), is any information related to an identifiable person.

Bellur Narayanaswamy Srikrishna is an Indian jurist and a retired judge of the Supreme Court of India. From 1993 to 1998, he headed the "Srikrishna Commission" that investigated causes and apportioned blame for the Bombay riots of 1992–93. In 2010, he headed the "Srikrishna Committee" that was constituted to look into the demand for separate statehood for Telangana. He is the chairman of the Financial Sector Legislative Reforms Commission (FSLRC) and also works as an independent arbitrator.

Information privacy, data privacy or data protection laws provide a legal framework on how to obtain, use and store data of natural persons. The various laws around the world describe the rights of natural persons to control who is using its data. This includes usually the right to get details on which data is stored, for what purpose and to request the deletion in case the purpose is not given anymore.

A cybersecurity regulation comprises directives that safeguard information technology and computer systems with the purpose of forcing companies and organizations to protect their systems and information from cyberattacks like viruses, worms, Trojan horses, phishing, denial of service (DOS) attacks, unauthorized access and control system attacks. While cybersecurity regulations aim to minimize cyber risks and enhance protection, the uncertainty arising from frequent changes or new regulations can significantly impact organizational response strategies.

Privacy law is a set of regulations that govern the collection, storage, and utilization of personal information from healthcare, governments, companies, public or private entities, or individuals.

ePrivacy Directive

Privacy and Electronic Communications Directive2002/58/EC on Privacy and Electronic Communications, otherwise known as ePrivacy Directive (ePD), is an EU directive on data protection and privacy in the digital age. It presents a continuation of earlier efforts, most directly the Data Protection Directive. It deals with the regulation of a number of important issues such as confidentiality of information, treatment of traffic data, spam and cookies. This Directive has been amended by Directive 2009/136, which introduces several changes, especially in what concerns cookies, that are now subject to prior consent.

Data portability is a concept to protect users from having their data stored in "silos" or "walled gardens" that are incompatible with one another, i.e. closed platforms, thus subjecting them to vendor lock-in and making the creation of data backups or moving accounts between services difficult.

<span class="mw-page-title-main">General Data Protection Regulation</span> EU regulation on the processing of personal data

The General Data Protection Regulation, abbreviated GDPR, or French RGPD is a European Union regulation on information privacy in the European Union (EU) and the European Economic Area (EEA). The GDPR is an important component of EU privacy law and human rights law, in particular Article 8(1) of the Charter of Fundamental Rights of the European Union. It also governs the transfer of personal data outside the EU and EEA. The GDPR's goals are to enhance individuals' control and rights over their personal information and to simplify the regulations for international business. It supersedes the Data Protection Directive 95/46/EC and, among other things, simplifies the terminology.

<span class="mw-page-title-main">Data Protection Act 2018</span> United Kingdom legislation

The Data Protection Act 2018 is a United Kingdom Act of Parliament which updates data protection laws in the UK. It is a national law which complements the European Union's General Data Protection Regulation (GDPR) and replaces the Data Protection Act 1998.

The Personal Data Protection Bill is a Pakistani law that attempts to protect personal data from misuse by corporations and governments. The implementation of GDPR by the European Union impacted the Cyber Law policymakers of Pakistan, the Ministry of Information Technology and Telecommunication.

The California Consumer Privacy Act (CCPA) is a state statute intended to enhance privacy rights and consumer protection for residents of the state of California in the United States. The bill was passed by the California State Legislature and signed into law by the Governor of California, Jerry Brown, on June 28, 2018, to amend Part 4 of Division 3 of the California Civil Code. Officially called AB-375, the act was introduced by Ed Chau, member of the California State Assembly, and State Senator Robert Hertzberg.

The right of access, also referred to as right to access and (data) subject access, is one of the most fundamental rights in data protection laws around the world. For instance, the United States, Singapore, Brazil, and countries in Europe have all developed laws that regulate access to personal data as privacy protection. The European Union states that: "The right of access occupies a central role in EU data protection law's arsenal of data subject empowerment measures." This right is often implemented as a Subject Access Request (SAR) or Data Subject Access Request (DSAR).

<span class="mw-page-title-main">Personal Data Protection Bill, 2019</span> Data Protection Bill of India

The Personal Data Protection Bill, 2019 was a proposed legislation by the Parliament of India which was withdrawn. The bill covers mechanisms for protection of personal data and proposes the setting up of a Data Protection Authority of India for the same. Some key provisions the 2019 Bill provides for which the 2018 draft Bill did not, such as that the central government can exempt any government agency from the Bill and the Right to Be Forgotten, have been included.

<span class="mw-page-title-main">General Personal Data Protection Law</span> Brazilian regulation on the processing of personal data

The General Personal Data Protection Law, is a statutory law on data protection and privacy in the Federative Republic of Brazil. The law's primary aim is to unify 40 different Brazilian laws that regulate the processing of personal data. The LGPD contains provisions and requirements related to the processing of personal data of individuals, where the data is of individuals located in Brazil, where the data is collected or processed in Brazil, or where the data is used to offer goods or services to individuals in Brazil.

The Age appropriate design code, also known as the Children's Code, is a British internet safety and privacy code of practice created by the Information Commissioner's Office (ICO). The draft Code was published in April 2019, as instructed by the Data Protection Act 2018 (DPA). The final regulations were published on 27 January 2020 and took effect 2 September 2020, with a one-year grace period before the beginning of enforcement. The Children's Code is written to be consistent with GDPR and the DPA, meaning that compliance with the Code is enforceable under the latter.

The Data Protection Board of India is an adjudicating body which is being set up by the Government of India under section 18 of the Digital Personal Data Protection Act, 2023. It is a body that adjudicates the dispute between those whose personal data has been given to a platform and the platform which has in turn breached the obligations under the Digital Personal Data Protection Act, 2023.

<span class="mw-page-title-main">Telecommunications Act, 2023</span> Act of the Parliament of India

The Telecommunications Act, 2023 is an act of the Parliament of India to replace the Indian Telegraph Act, 1885. It aims to consolidate laws relating to development, expansion and operation of telecommunication services and networks.

References

  1. 1 2 "The Digital Personal Data Protection Bill 2023 PDF" (PDF).
  2. "Draft data protection Bill uses 'she' and 'her' to refer to all individuals". The Hindu. 18 November 2022. ISSN   0971-751X . Retrieved 9 August 2023.
  3. "Digital Personal Data Protection Act, 2023" (PDF).
  4. 1 2 3 4 5 "Data Protection Framework | Ministry of Electronics and Information Technology, Government of India". www.meity.gov.in. Retrieved 28 August 2023.
  5. 1 2 "Notice - Public Consultation on DPDP 2022_1" (PDF). www.meity.gov.in. Retrieved 5 October 2024.
  6. 1 2 "Cabinet clears Data Protection Bill". The Hindu. 5 July 2023. ISSN   0971-751X . Retrieved 28 August 2023.
  7. 1 2 "Digital Personal Data Protection Bill, 2023 introduced in Lok Sabha". The Hindu. 3 August 2023. ISSN   0971-751X . Retrieved 28 August 2023.
  8. "Data protection bill passed by Lok Sabha, next stop Rajya Sabha". Moneycontrol. 7 August 2023. Retrieved 7 August 2023.
  9. Chishti, Aiman J. (9 August 2023). "Parliament Passes Digital Personal Data Protection Bill". www.livelaw.in. Retrieved 9 August 2023.
  10. 1 2 "India gets a data protection law". Moneycontrol. 11 August 2023. Retrieved 11 August 2023.
  11. 1 2 "Digital Personal Data Protection Bill gets nod from President". The Economic Times. 12 August 2023. ISSN   0013-0389 . Retrieved 11 August 2023.
  12. "Court Case for right to Privacy" (PDF). Archived from the original (PDF) on 28 August 2017. Retrieved 9 August 2023.
  13. "MeitY OM nomination of JS(GS) in Expert Committee221217" (PDF). www.meity.gov.in. 22 December 2017. Retrieved 5 October 2024.
  14. "Public consulation on White Paper - Data Protection Framework for India" (PDF).
  15. "Data Protection Framework - Public consultation meeting at Mumbai" (PDF).
  16. "The Personal Data Protection Bill, 2018" (PDF).
  17. "Data Protection Committee - Report" (PDF).
  18. "Feedback on Draft Personal Data Protection Bill".
  19. 1 2 "The Personal Data Protection Bill, 2019". PRS Legislative Research. Retrieved 28 August 2023.
  20. "Withdrawal of PDPB".
  21. "Draft Personal Data Protection Bill" (PDF).
  22. "The Personal Data Protection Bill, 2019". PRS Legislative Research. Retrieved 28 August 2023.
  23. "The Personal Data Protection Bill, 2019" (PDF). Archived (PDF) from the original on 21 December 2019. Retrieved 21 December 2019.
  24. "An Emergent Data Regime on the cards: Relooking at data practices, Sameer Avasarala, Anirban Mohapatra and Arun Prabhu". Archived from the original on 28 September 2022. Retrieved 22 August 2022.
  25. 1 2 Mandavia, Megha (12 December 2019). "Personal Data Protection Bill can turn India into 'Orwellian State': Justice BN Srikrishna". The Economic Times. Archived from the original on 31 January 2020. Retrieved 21 December 2019.
  26. "Our initial comments on the Personal Data Protection Bill 2019". Dvara Research. 17 January 2020. Archived from the original on 11 April 2020. Retrieved 20 January 2020.
  27. Agarwal, Surabhi (27 December 2019). "Wikimedia flags worries on data law". The Economic Times. Archived from the original on 30 March 2020. Retrieved 28 December 2019.
  28. "Draft Information Technology [Intermediaries Guidelines (Amendment) Rules] 2018". PRSIndia. 30 January 2019. Archived from the original on 2 January 2020. Retrieved 2 January 2020.
  29. "The Personal Data Protection Bill could be a serious threat to Indians' privacy". Forbes India. Archived from the original on 17 December 2019. Retrieved 21 December 2019.
  30. "Data Protection Bill withdrawn: Roadblocks towards a comprehensive data protection framework". lakshmisri.com. Retrieved 28 August 2023.
  31. "The Digital Personal Data Protection Bill, 2023". PRS Legislative Research. Retrieved 8 January 2024.
  32. "The Digital Personal Data Protection Bill, 2023". PRS Legislative Research. Retrieved 28 August 2023.
  33. "Deadline for comments on digital data protection Bill extended". The Hindu. 17 December 2022. ISSN   0971-751X . Retrieved 28 August 2023.
  34. "Lok Sabha passes Digital Personal Data Protection Bill, 2023". The Economic Times. 7 August 2023. ISSN   0013-0389 . Retrieved 28 August 2023.
  35. "Digital Personal Data Protection Bill 2023 passed in Rajya Sabha: Key points". The Times of India. 11 August 2023. ISSN   0971-8257 . Retrieved 28 August 2023.
  36. 1 2 "India's Digital Personal Data Protection Act 2023 vs. the GDPR: A Comparison" (PDF). Latham & Watkins LLP. December 2023. Retrieved 11 July 2024.
  37. "India's new data protection law: How does it differ from GDPR and what does that mean for international businesses?". Herbert Smith Freehills. 10 October 2023. Retrieved 11 July 2024.
  38. 1 2 Ganguly, Shirsha (30 August 2023). "Data Protection Board To Function As Adjudicator, Not Regulator, Clarifies MoS IT". thelogicalindian.com. Retrieved 6 September 2023.
  39. Ganesan, Aarathi (2 November 2023). "Data Protection Board of India: Composition and its Impact". MediaNama. Retrieved 8 January 2024.
  40. Ganesan, Aarathi (19 November 2022). "Role of Data Protection Board under draft data protection law 2022". MediaNama. Retrieved 8 January 2024.
  41. PTI (9 August 2023). "Government Expects To Implement New Data Protection Law Within 10 Months". BQ Prime. Retrieved 28 August 2023.
  42. "Exclusive: New law on digital competition likely to regulate Big Tech; IT Minister Ashwini Vaishnaw on Data Protection Bill". The Economic Times. Retrieved 28 August 2023.
  43. 1 2 3 4 5 6 7 8 9 G, Sandeep (4 January 2024). "Privacy Notice under the Digital Personal Data Protection Act, 2023". Bar and Bench - Indian Legal news. Retrieved 8 January 2024.
  44. 1 2 3 4 5 6 7 8 9 "Decoding the Digital Personal Data Protection Act, 2023". www.ey.com. Retrieved 8 January 2024.
  45. 1 2 3 4 5 6 7 "Decoding the Digital Personal Data Protection Act 2023". Moneylife NEWS & VIEWS. Retrieved 8 January 2024.
  46. "Data Protection Law: Focus on accountability & consent, but offline data must be treated at par". Financialexpress. 8 October 2023. Retrieved 8 January 2024.