The Digital Personal Data Protection Bill, 2023 was first introduced in the Lok Sabha on 3rd August, 2023 by the Minister of Electronics and Information Technology and passed by the Parliament on 7th August, 2023 and by the Rajya Sabha on 9th August, 2023 with the objective of safeguarding the processing of digital personal data in a manner that recognizes the importance of both the rights of individuals as well as the need to process it for lawful purposes or for matters connected therewith.

This bill was introduced after facing a lot of issues and backlash on the earlier introduced Personal Data Protection Bills of 2019 and 2022 on the matters of transparency, compliances, data storage and it's localization, etc.,

After the Hon'ble Supreme Court in the landmark judgment of "Justice K.S. Puttaswamy(Retd.) v Union of India" Writ Petition (Civil) No. 494 of 2012, (2017) 10 SCC 1 upheld the 'Right to Privacy' as a crucial part of Article 21 of the Indian Constitution i.e., 'Right to Life'. The Hon'ble court suggested that the Central Government must frame and implement an act to protect the personal data of the citizens specially the Digital Personal Data.

Object and Applicability of the Act
The key objective of the act is to establish a secure and responsive framework to protect and regulate the entire process starting from getting the consent from the user, to the collection of data, to its storage, to processing everything. The consent of the user is given huge importance in the act.

The Act applies to the processing of the Personal Data in India, both online as well the digitalized offline data and also to that data that is outside India but related to the offering of goods and services in India.

The Digital Personal Data Protection also lays down a basic framework for the important laws that are required related to privacy in an ever-advancing economy like India where our IT sector is expanding day by day and also to regulate the future of Artificial Intelligence (AI) in India which has hardly left any area untouched.

This act doesn't only focuses on the privacy concerns but will also serve as a strong backbone in international contracts and trade.

Important Definitions and Salient Features of the Act
The act clearly defines a lot of key elements which are essential for understanding this Act as well its important better:

• 'Appellate Tribunal' refers to the Telecom Disputes Settlement and Appellate Tribunal, which is established under section 14 of the Telecom Regulatory Authority of India Act, 1997.
• 'Automated' denotes any digital process capable of operating automatically in response to instructions given or otherwise for the purpose of processing data.
• 'Board' signifies the Data Protection Board of India established by the Central Government under section 18 of the Act.
• 'Certain legitimate uses' pertains to the uses as specified in section 7 of the Act.
• 'Chairperson' refers to the individual holding the position of Chairperson of the Board.
• 'Child' denotes an individual who has not yet reached the age of eighteen years.
• 'Consent'- The Section 6 of the Act states that the personal data may only be processed for specified purposes and with the proper consent of the "Data Principal". The Consent so obtained must be voluntary, specific, unconditional, informed and, unequivocal with a clear affirmative action, it is mandatory for the Data Fiduciary to provide a notice under Section 5 of the act clearly stating all the details of the personal data being asked for and for what purpose in order to obtain the consent. The Data Principal has the right to withdraw their consent at any point of time.

However, as per the provisions of Section 7, such consent shall not be required in case of 'legitimate uses' which includes: The Act specifies several scenarios in which personal data may be processed:

1. When data is provided voluntarily by an individual for a specified purpose.
2. When the State provides benefits or services, such as subsidies, certificates, licenses, permits, etc.
3. When data processing is necessary for the security of the State or in the interest of the country's sovereignty and integrity.
4. When responding to medical emergencies, treatment, or health services.
5. When data processing is necessary for safety and in the interest of the State's security and public order.
6. When processing data for employment purposes.

Additionally, individuals with disabilities or those under the age of eighteen (18) are required by the Act to provide consent through their parent(s) or legal guardian.

Furthermore, the Act empowers the State or any instrumentality of the State to retain personal data or deny requests for the erasure of personal data, as outlined in Section 17(4).

• 'Data' refers to information, facts, concepts, views, or instructions that may be easily communicated, interpreted, or processed by humans or machines.
• 'Data Fiduciary' is someone who defines the purpose and method of processing personal data, either independently or with others.
• 'Data Principal' refers to the individual, to whom personal data is related, including parents or legal guardians for children, and lawful guardians for people with disabilities.
• 'Data Processor' refers to anyone who handles personal data on behalf of a Data Fiduciary.
• 'Data Protection Officer' refers to the person selected by the Significant Data Fiduciary under clause (a) of sub-section (2) of Section 10
• 'Digital Office' means an office that adopts an online mechanism wherein the proceedings, from receipt of intimation or complaint or reference or directions or appeal, as the case may be, to the disposal thereof, are conducted in online or digital mode
• 'Digital Personal Data' means personal data in digital form
• 'Processing' in relation to personal data, means a wholly or partly automated operation or set of operations performed on digital personal data, and includes operations such as collection, recording, organization, structuring, storage, adaptation, retrieval, use, alignment or combination, indexing, sharing, disclosure by transmission, dissemination or otherwise making available, restriction, erasure or destruction

Rights and Duties of the Data Principal

The rights and duties of a Data Principal, as outlined in Sections 12 to 15, are as follows:

Rights:

1. The right to obtain information about the processing of their data.
2. The right to request correction and erasure of their Personal Data.
3. The right to nominate another person to exercise their rights in case of death or incapacity.
4. The right to grievance redressal.
5. The right to withdraw consent at any time during or after the processing of Personal Data.

Duties:

1. Not to register a false or frivolous complaint.
2. (ii) Not to suppress any material information while providing Personal Data.
3. (iii) Not to furnish false particulars or impersonate in specified cases.

Breach of these duties will result in penalties as per the Schedule to the Act.

Obligations imposed on the Data Fiduciaries by the Act

The obligations imposed on Data Fiduciaries under Section 8 of the Act are as follows:

1. Process Personal Data only with the explicit consent of the Data Principal or under certain legitimate uses. Deemed consent applies when the Data Principal hasn't explicitly denied consent.
2. Take reasonable measures to ensure the accuracy and completeness of the data.
3. Implement appropriate measures to safeguard Personal Data in their possession or under their control.
4. Responsively address any communication from Data Principals regarding the exercise of their rights.
5. Notify both the Data Protection Board of India and affected individuals in case of a personal data breach.
6. Erase Personal Data once the purpose of its collection has been fulfilled and retention is no longer legally necessary (storage limitation). However, this may not apply to government entities.

Any breach of these obligations is subject to the provisions of Section 33 of the Act, in conjunction with the Schedule therein, which outlines the penalties for non-compliance.

Transfer of Personal Data outside India is covered under Section 16 of the Act, which allows extraterritorial processing and transfer of Personal Data, except to countries restricted by the Central Government through notification time to time.

Exemptions from certain provisions of the Act are covered in Section 17 of the Act.

Chapter II contains provisions relating to the obligations of Data Fiduciaries and Chapter III contains provisions regarding the rights and duties of Data Principals which are made inapplicable in specified cases.

These exemptions include situations related to:

• The prevention, investigation, or prosecution of offences
• Enforcement of legal rights or claims
• Processing that is being done not within the territory of India
• Processing for the purpose of ascertaining financial information, assets, and liabilities

Additionally, Section 17(2) states that the Act's provisions shall not apply to the processing of Personal Data by the State or its instrumentalities in the interest of security and public order, and when necessary for research, archiving, or statistical purposes.

The establishment of the Data Protection Board of India (Board) is mandated by Chapter V of the Act. The Board, comprising a Chairperson and other members will exercise powers and functions including directing urgent remedial/mitigating measures in case of data breaches, inquiring into such breaches, and imposing penalties as per the Act. The Board has original jurisdiction to adjudicate upon complaints/matters related to the Act, and other civil courts are barred from entertaining suits or proceedings falling under the Board's jurisdiction.

Appeals against the decisions of the Board are governed by Section 29, with such appeals lying with the Telecommunications Dispute Settlement and Appellate Tribunal (TDSAT) established under the Telecom Regulatory Authority of India Act, 1997. The limitation period for filing such appeals is sixty (60) days from the date of receipt of the Board's decision. Orders passed by TDSAT are further appealable before the Honorable Supreme Court as per Section 18 of the TRAI Act.

Penalties for offences and breaches- The Schedule within the Act delineates the penalties to be levied for various infractions and breaches occurring under its purview. For instance, penalties include fines of:

1. INR 200 Crore for failure to comply with obligations concerning children
2. INR 250 Crore for neglecting to implement security measures aimed at preventing data breaches as specified in Section 8(5)
3. INR 200 Crore for failing to notify the Board or the Data Principal of a Personal Data breach as stipulated in Section 8(6)

Following an inquiry conducted pursuant to Section 33, such penalties will be imposed by the Board.

Implications of the Act
With the implementation of this Act, all the companies or businesses dealing and storing personal data in any way will now have to develop a proper standard operating procedure (SoPs) and train their employees in order to comply with the various compliances of the act or otherwise have to face penalties, they will also have to deal with the Data Protection Officer appointed as per the provisions of Section 10 of the act.

Establishing the engagement of an Independent Data Auditor, implementing a consent management system to gather, maintain, monitor, and revise consent from individuals, conducting assessments to ensure data protection, maintaining contractual agreements with data processors, and similar actions are essential measures. However, it is imperative to clarify the criteria for categorizing companies and startups as Data Fiduciaries, particularly regarding specific thresholds and qualifications such as net worth, assets, company size, number of employees, and their expertise.

Guarding Privacy: Genuine Protection or a Facade for Increased Control and Surveillance?
The act in the present form however proposes to protect the Right to Privacy, the provisions and their implementation still raises a lot of concerns. For example, Section 36 empowers the Central Government to request 'such information collected' from the Board or any Data Fiduciary or intermediary. Such extensive power and vocabulary, when evaluated through a legislative lens, reveal the Central Government's ingrained desire to monitor.

Furthermore, Section 17(2)(a) authorizes the Central Government to exempt any State instrumentality from the rigors of the regulations governing Personal Data Processing.

Furthermore, as Section 8(1)(j) of the Right to Information Act, 2005 (RTI Act) is altered by Section 44(3) of the Act, the balance set by the RTI Act between privacy and informational right will be lost as the power of a Public Information Officer (PIO) can be perceived to have widened.

Conclusion
To conclude, the implementation of the Digital Personal Data Protection Act, 2023 is a significant step towards safeguarding and promoting individual rights under the "Right to Privacy" while also establishing a basic framework for development of further laws in this respect, it still has major concerns regarding its implementation and potential procedural implications.

The Act introduces key definitions and provisions aimed at governing the collection, storage, processing, and transfer of personal data, both within India and across borders. It emphasizes the importance of obtaining informed and voluntary consent from data principals and imposes stringent obligations on data fiduciaries to ensure data protection and security.

However, certain provisions of the Act raises grave concerns about the extent of government surveillance and control, particularly concerning the broad powers granted to the Central Government and exemptions provided to state instrumentalities. Additionally, amendments to existing laws, such as the Right to Information Act, could impact the balance between privacy rights and transparency.

As businesses and organizations adapt to comply with the Act, they must navigate complex compliance requirements and invest in robust data protection mechanisms. The appointment of Data Protection Officers, implementation of consent management systems, and engagement with independent auditors are critical steps towards ensuring compliance and mitigating risks.

In essence, while the Digital Personal Data Protection Act of 2023 represents a significant milestone in India's data protection landscape, ongoing scrutiny, and vigilance are necessary to address concerns, uphold privacy rights, and foster a trustworthy digital ecosystem for all stakeholders.