THE DIGITAL PERSONAL DATA PROTECTION BILL, 2023
INTRODUCTION:
On 3rd August 2023, the Digital Personal Data Protection Bill, 2023 (“Bill”) was tabled before the Parliament
of India. The Bill outlines the rights and duties of citizens and establishes guidelines for the lawful
utilization of personal data, aiming to regulate and safeguard the use of personal data. The scope of the
Bill covers handling digital personal data within India. Furthermore, the Bill extends its applicability to the
processing of personal data outside India when it involves offering goods or services to individuals in India.
BASIS OF THE BILL:
The Bill is based on the following principles of data economy:
(i) Lawful, transparent, and secure collection and utilization of personal data of Indian citizens.
(ii) Data must be utilized for lawful purposes and stored securely until the intended purpose is
fulfilled.
(iii) Only relevant data should be collected and used for a predefined purpose.
(iv) Data protection and accountability.
(v) Accuracy of data.
(vi) Reporting data breaches transparently and fairly to Data Protection Boards.
APPLICABILITY AND SCOPE:
The Bill applies to the processing of ‘Digital Personal Data’. This includes data collected online and offline,
which is subsequently digitized. The non-personal data and data in non-digital formats are excluded from
its ambit. The Bill applies to the processing of digital personal data within India’s borders, as well as to the
processing of digital personal data outside India if it involves profiling or offering goods or services to
individuals within India.
CONSENT:
As per the provisions of the Bill, personal data may only be processed for lawful purposes with the
individual’s consent, which should be obtained after providing prior notice. However, consent is not
necessary for certain ‘legitimate uses,’ including: (i) processing data for a specified purpose provided
voluntarily by the individual which is defined as ‘deemed consent’, (ii) when the government provides
benefits or services, (iii) in cases of medical emergencies, and (iv) for employment-related matters.
For individuals below 18 years of age, consent will be obtained from their parent or legal guardian.
RIGHTS AND DUTIES OF DATA PRINCIPAL:
The Bill grants rights and imposes duties on data principals, who are individuals whose data is being
processed. Data principals have the right to (i) receive information about the processing of their data, (ii)
request the correction and erasure of their personal data, (iii) nominate another person to exercise their
rights in the event of death or incapacity, and (iv) have access to grievance redressal mechanisms