On August 7, 2023, the Digital Personal Data Protection Bill, 2023 was passed by the Lok Sabha and was then sent to the Rajya Sabha. It is a step towards the formation of the first Indian law that will govern how personal data will be collected, used, and processed by entities.
The August 2023 version of the Bill made revisions after a one-and-a-half-month-long public consultation process with inputs from 38 departments and ministries, 46 industry organizations, and around 21,000 inputs from the public. This Bill was passed with loud protests by the Opposition members of the Lok Sabha.
The public consultation process in the case of such an important Bill deserves scrutiny. The depth of the bill was so much that it went on for 42 days, from November 18, 2022, to January 2, 2023.
The comments have not been made public; thus, academics cannot access or analyze what the common objections were and if the ministry has responded in any substantial manner to them. In the final analysis, public consultation around this Bill served its purpose.
There are various issues with the content of the final draft. They have been discussed in detail by organizations such as the Internet Freedom Foundation. The consultancy process has resulted in more egregious points.
Publicly available data on the internet falls prey to data scraping. Automated data scraping without any regulatory oversight has the potential to reveal, via machine learning, sensitive intelligence that individuals did not consent to reveal when they posted some ostensibly harmless data on the internet.
The Bill will apply to the processing of digital personal data within India where such data is collected online, or collected offline and will be digitized. It will also apply to such processing outside India, it is for offering goods or services in India. Only after the consent of the individual, personal data will be processed for a lawful purpose. Consent is not required for legitimate uses, for example - voluntary sharing of data by the individual or processing by the State for permits, licenses, benefits, and services.
Data fiduciaries will be obligated to maintain the accuracy of data, ensure the security of data and delete data after the purpose has been met. The Bill grants certain rights to individuals, which include - the right to obtain information, seek correction, and grievance redressal.
The Bill applies to the processing of personal data within India where data is: (i) collected online, or (ii) collected offline and is digitized afterwards. It can also apply to the processing of personal data outside India if it is for offering goods or services in India. Personal data can be anything about an individual who is identifiable by or in relation to such data.
As per this bill, personal data may be processed only for a lawful purpose and also only after obtaining the consent of the individual. Notice must be provided before seeking consent. The notice should contain detailed information about the personal data to be collected and the reason why it is being processed. Consent may be withdrawn at any point in time. Consent will not be required for ‘legitimate uses’ including:
For individuals under the age of 18, consent will be provided by a parent or the legal guardian.
An individual whose data is being processed (data principal), will have the right to:
The entity determining the purpose and means of processing, must:
In case of government entities, storage limitation and the right of the data principle to erasure will not apply.
The Bill allows the transfer of personal data outside India, apart from the countries restricted by the central government through notification.
The August 2023 draft of the Bill alters the process selecting members of the Data Protection Board completely. All members will now be selected by the government of India. This creates a board controlled by the executive with no independence, contrary to the idea of data justice present in the original draft of the Personal Data Protection Bill created by the B N Srikrishna Committee in 2018.
This bill has all the capability to revolutionize the realm of cyber security. Following the same principles Cyber Cops are all set to deliver alike services while strengthening the roots of cyber security & disrupt every thread of malicious activity that might cause havoc in an organization’s data protection!