The Digital Personal Data Protection Bill, 2023

The Digital Personal Data Protection Bill of 2023 intends to govern digital personal data processing while protecting individuals' data protection rights and the legitimate need to utilize such data for lawful purposes. The bill protects data that can be used to identify individuals.

It specifies the responsibilities of businesses (Data fiduciaries) that manage such data, the rights of individuals (Data principals) to whom the data relates, and the consequences of violations.

The bill is founded upon seven principles:

1. Consent-based, lawful, and transparent use of personal data.
2. Limiting data use to the purpose specified during consent.
3. Collecting only essential personal data for the specified purpose.
4. Ensuring data accuracy and currency.
5. Storing data only as long as required for the designated purpose.
6. Implementing reasonable security measures.
7. Holding entities accountable through penalties for breaches and violations.

Individuals are given various rights under the bill, including:

1. Access to information about processed personal data.
2. The right to correct and erase data.
3. Redressal of grievances.
4. The right to nominate someone to act on their behalf in cases of incapacity or death.

To assert their rights, Data Principals can first approach the Data Fiduciary. If dissatisfied, customers can file a complaint with the Data Protection Board.

The bill specifies several requirements for Data Fiduciaries, including:

1. Taking security precautions to stop data leaks.
2. Data breaches must be reported to data principals and the Data Protection Board.
3. When consent has been withdrawn or when data is no longer needed.
4. Creating a framework for grievance resolution and designating a designated officer.
5. Additional duties for Significant Data Fiduciaries, such as data audits and recurring evaluations.

The measure protects the privacy of children's personal information. If doing so would be harmful to their well-being, involve tracking, monitoring, or targeted advertising, it would require parental agreement and be illegal.

The bill's exemptions apply to things like:

1. National security and public order.
2. Research, statistics, and archiving.
3. Specific categories of Data Fiduciaries like startups.
4. Legal rights enforcement.
5. Judicial or regulatory functions.
6. Offense prevention, detection, investigation, or prosecution.
7. Processing non-resident data under foreign contracts.
8. Approved mergers or demergers.

The key functions of the Data Protection Board are as follows:

1. Providing remedies for data breaches.
2. Investigating violations and complaints, and assessing fines.
3. Resolving disagreements and accepting voluntary obligations.
4. Advising the government to take action against repeat offenders.

The DPDP Bill is a broad and ambitious piece of legislation aimed at protecting individuals' privacy in India. It remains to be seen how the Bill will be implemented in practice, but it is a step in the right direction toward giving individuals control over their data.