Explained: Digital Personal Data Protection bill tabled in Lok Sabha, here’s what its all about

  • It proposes data protection legislation that allows the transfer and storage of personal data in some countries while raising the penalty for violations.

Saurav Mukherjee
Updated3 Aug 2023
Union Minister for Electronics & Information Technology Ashwini Vaishnaw introduces the Digital Personal Data Protection Bill, 2023, in the Lok Sabha during Monsoon session of Parliament, in New Delhi, Thursday, Aug. 3, 2023. (PTI Photo)
Union Minister for Electronics & Information Technology Ashwini Vaishnaw introduces the Digital Personal Data Protection Bill, 2023, in the Lok Sabha during Monsoon session of Parliament, in New Delhi, Thursday, Aug. 3, 2023. (PTI Photo)(PTI)

Prime Minister Narendra Modi-led union government on 3 August introduced the Digital Personal Data Protection Bill, 2023 in the Lok Sabha.

It was tabled in the parliament by Union Communications, Electronics, and Information Technology Minister Ashwini Vaishnaw, amid strong opposition by Opposition leaders who claimed it violates the fundamental right to privacy.

The Opposition sought the bill should be sent to the standing committee for scrutiny, as the government had withdrawn a bill on data protection last year and the new bill needs more scrutiny.

Though Vaishnav claimed this bill is not a money bill and all issues raised by the opposition will be answered during the debate.

Government's take:

Meanwhile, Mos for Electronics and Information Technology Rajeev Chandrasekhar said the bill will protect the rights of all citizens.

He took to Twitter and wrote, "DPDPBill introduced in #Parliament is a very significant milestone in PM @narendramodi ji's vision of Global Standard Cyber Laws for India's $1T #DigitalEconomy and #IndiaTechade. @GoI_MeitY has developed this bill after extensive consultations which I led - with all stakeholders including #DigitalNagriks."

Explaining more, he said, "This new Bill after it is passed by Parliament, will protect the rights of ALL citizens, allow the innovation economy to expand, and permit Govt's lawful n legitimate access in national security and emergencies like pandemics and earthquakes, etc." He mentioned, “DPDPBill is a global standard, Contemporary, FutureReady yet simple and easy to understand.”

ALSO READ: Digital Personal Data Protection Bill likely to get approval from Cabinet today; here's what it is

What is Digital Personal Data Protection Bill?

As per details, the DPDP bill is legislation that frames out the rights and duties of the citizen (Digital Nagrik) on one hand and the obligations to use collected data lawfully of the data fiduciary on the other hand. The Bill, which seeks to govern and safeguard the use of personal data, sets out the rights and duties of users, and the obligations on businesses.

It is based on six principles of the data economy of which the first one talks about the collection and usage of the personal data of citizens of India. The collection and usage of personal data should be lawful, must be protected from breach and transparency should be maintained. The second principle talks about data collection exercises that must be for a legal purpose and the data should be safely stored till the purpose is served.

The next principle talks about data minimization which says that only relevant data should be collected of individuals and serving the pre-defined purpose should be the only aim. 

The fourth principle is regarding Data Protection and Accountability while the fifth talks about the accuracy of data. The last principle lays down the rules regarding reporting a data breach. In case of a data breach, it should be reported in a fair, transparent, and equitable manner to the Data Protection Boards.

What the DPDP bill proposes?

It proposes data protection legislation that allows the transfer and storage of personal data in some countries while raising the penalty for violations.

Also, it proposed legislation stipulates consent before collecting personal data and provides for stiff penalties of as much as 500 crore on persons and companies that fail to prevent data breaches including accidental disclosures, sharing, altering, or destroying personal data.

Applicability and Scope of DPDP bill:

The bill applies to the processing of ‘Digital Personal Data’ and excludes from its ambit both non-personal data and data in non-digital formats, reported HT.

This applies to processing digital personal data within the Indian territory and processing digital personal data outside India if such processing is in connection with any profiling or offering goods or services to data principals within India.

However, it doesn't apply to non-automated processing, processing for domestic or personal purposes by individuals, and personal data about individuals contained in records that have been in existence for at least 100 years, quoted the report.

Consent Criteria:

As per the bill, the personal data of an individual can only be processed for a lawful purpose for which the concerned individual has given consent or is deemed to have given her consent. It mentions the consent should be free, specific, informed, and unambiguous. Though a clause of deemed consent has been added, that refers to situations where consent is not expressly needed.

Data Localisation and Cross-Border Transfer:

According to the current bill, cross-border data flow to certain countries and territories has been permitted, along with relaxations in data localization requirements.

Data Retention:

To determine non-compliance and imposition of penalty, Data Protection Board will be set up, which will be ‘digital by design’ and will also accept voluntary undertakings.

The Bill permits data fiduciaries to retain personal data for ‘Business Purposes’ even after the purpose for collection is no longer served by its retention.

Personal Data Breach Penalty:

In the bill, a penalty is proposed of 200 crore if the data fiduciary or the data processor fails to report a personal data breach to the Data Protection Board and affected individuals.

Also, for failure to ensure reasonable security safeguards, the Data Fiduciary or Processor can be penalized up to 250 crores.

In case of the Board, under an inquiry, determines that non-compliance by a person is significant then it may impose a penalty as specified in Schedule 1 of the Bill, not exceeding 500 Crores in each instance, reported HT.

Experts' opinions:

Commenting on the bill, Manish Sehgal, Partner, Deloitte India, said to LiveMint, “The moment we have been waiting for the past few years has finally arrived! The much-anticipated privacy bill (referred to as Digital Personal Data Protection Bill, 2023), was tabled in the Parliament on Thursday, August 3rd, 2023. Once enacted, it will enable individuals (referred to as Data Principals) to govern their own personal (digital) data and will drive enterprises (referred to as Data Fiduciary) to process the personal data of individuals lawfully, for specific purposes only. Given the bill’s extra-territorial coverage, enterprises based outside India serving individuals in India will also be expected to adhere to the provisions of this bill once enacted. Enterprises will have to review the current ways of working especially for the personal data of individuals such as their employees, customers, merchants, vendors, etc. to be able to honor the rights that individuals may exercise, such as the right to access, update, erase their data, etc. Nonadherence of obligation listed in the bill may attract sanctions and commercial penalty as high as 250 crore."

He added, "As more guidance will be released in days/months to come, its highly recommended that enterprises don’t wait and start their readiness journey right away with the fundamental step of data hygiene i.e. where is the data within the enterprise, who accesses it, who processes it and how data flows from one function to another. Right processes, tools & solutions, governance, accountability, and most importantly awareness amongst people are core to be ready. Once the bill will be enacted, transformation is imminent and enterprises should embrace it, not just for compliance purposes but to establish and operate in a privacy-enabled environment.”

Shahana Chatterji, Partner, Shardul Amarchand Mangaldas & Co. said to LiveMint, “The Digital Personal Data Protection Bill, 2023 Bill prepared by MEITY is a forward-looking legislation that will have a horizontal application across sectors and will also impact businesses of all sizes.”

She added, “As such, the DPDP Bill strikes an important balance in protecting users’ rights and promoting innovation in digital businesses. Its key business-friendly provisions include eliminating criminal penalties for non-compliance, facilitating international data transfers etc. On the other hand, it also provides for a comprehensive set of rights guaranteed to data principals which aims to create a transparent and accountable data governance framework going forward.”

“We laud the introduction of the DPDP Bill as an important step towards building a new legal architecture for digital businesses and the ushering in of India’s “techade” and remain supportive of MEITY’s ongoing regulatory efforts. We also appreciate MEITY’s efforts in conducting extensive public and stakeholder consultations for developing a robust legal framework that will set a new international precedent as far as data protection frameworks go. We hope that MEITY continues to follow this approach of multi-stakeholder engagement for future rulemaking under this new law,” she said.

Shreya Suri, Partner, INDUSLAW said to LiveMint, “The much-awaited draft of the Digital Personal Data Protection Bill, 2023 being tabled before both houses has finally been made public today as the Parliament goes into session for the day. This version of the draft takes into account critical stakeholder feedback and seeks to strike a delicate balance between the fundamental right to privacy guaranteed to Indian citizens, reasonable restrictions associated with such right, business viability- and also the global requirements for being considered an adequate jurisdiction for data processing. This is a welcome step and 5 years in the making!”

She added, “What is special about this version is the care and attention given to bring in Illustrative Examples which will serve as guiding principles for critical concepts around ‘consent’, ‘notice’, and ‘legitimate uses’, among others. Another heartening aspect about this piece of legislation is that the Ministry has extensively consulted with all categories of stakeholders and has been receptive to feedback to a large extent, such as lowering the age requirement for seeking parental consent for limited use cases on the basis of a determination to be made by the government. One other interesting feature is that this version points towards a jurisdiction blacklisting format with respect to the permissibility of cross-border data processing activities, unlike other major jurisdictions like the EU, where the approach is to identify and whitelist jurisdictions with adequate legal standards.”

Sujit Patel, MD and CEO, SCS Tech, said, "It is necessary to appreciate and comprehend the applicability of the Digital Personal Data Protection Bill, which creates a new framework for personal data security. The bill will bring India one step closer to establishing the law on data privacy and protection. It is being done to serve the greater aim of a Digital Economy. The bill is expected to give people more rights, visibility, awareness, autonomy in decision-making, and control over their data, while also requiring businesses to respect those rights and offer suitable remedies."

Dhiraj Gupta, Co-founder and CTO, mFilterIt, said, "In light of the new movement towards data privacy, businesses must be aware of their responsibilities towards their customer's data protection. Data protection must be balanced with the right equation of fraud detection associated with data. Businesses must be well-equipped to combat the threats of data breaches and ensure their customer's data is not at risk."

Udit Mehrotra, MD and CEO, Spectra, said, "As the Digital Private Data Protection Bill takes center stage in parliament today, it serves as a crucial reminder that just as user privacy is paramount in the digital age, network security stands as an equally imperative responsibility for companies. Safeguarding not only personal information but also the very infrastructure that holds it, ensures a landscape where trust, innovation, and progress can thrive unhindered."

With agency inputs.


Catch all the Business News, Market News, Breaking News Events and Latest News Updates on Live Mint. Download The Mint News App to get Daily Market Updates.MoreLess
HomeNewsIndiaExplained: Digital Personal Data Protection bill tabled in Lok Sabha, here’s what its all about

Most Active Stocks

Tata Steel

10:29 AM | 21 JUN 2024
-2.5 (-1.37%)

Bharat Electronics

10:27 AM | 21 JUN 2024
-7.05 (-2.26%)


10:28 AM | 21 JUN 2024
-3.75 (-0.89%)


10:29 AM | 21 JUN 2024
-0.3 (-0.06%)
More Active Stocks

Market Snapshot

  • Top Gainers
  • Top Losers
  • 52 Week High

Railtel Corporation Of India

10:27 AM | 21 JUN 2024
41.8 (9.62%)

Titagarh Rail Systems

10:29 AM | 21 JUN 2024
89.05 (5.96%)

Rail Vikas Nigam

10:28 AM | 21 JUN 2024
22.35 (5.77%)

Honasa Consumer

10:26 AM | 21 JUN 2024
23.5 (5.51%)
More from Top Gainers

Recommended For You

    More Recommendations

    Gold Prices

    • 24K
    • 22K

    Fuel Price

    • Petrol
    • Diesel
    New Delhi
    HomeMarketsPremiumInstant LoanGet App