The collection of personal data at a large scale has become a common practice in
India, with employers, shop owners, schools, government, and other entities
collecting and processing personal data of individuals. However, the absence of
any significant law to protect the data or penalize any lapse during the
processing of data has led to heavy leaks of personal data. One such example is
the leak of data of millions of teachers and students from the DIKSHA app being
operated by the Ministry of Education in January 2023.
The data was stored by the Digital Infrastructure for Knowledge Sharing app, or
Diksha, a public education app launched in 2017, and was left unprotected,
exposing millions of individuals' data to hackers, scammers, and virtually
anyone who knew where to look.
This incident highlights the urgent need for a comprehensive data protection
framework, which the Digital Personal Data Protection Bill, 2023 seeks to
establish. Thereby, with 44 provisions and Schedule on penalties the digital
personal data Protection Bill seeks to protect the data of nearly 80 Cr internet
users in India.
History and Origin
The Digital Personal Data Protection Bill, 2023 takes recommendations from
Europe's General Data Protection Regulation (GDPR), which can be seen in
concepts shared by both the regulations such as the consent to be taken before
processing of the data. However, the DPDP bill has been successful in mending it
in the Indian way such as requiring the consent to be in all the listed
The need for protection of personal data first arose post the Supreme Court
verdict in the case of Justice KS Puttaswamy Vs Union of India wherein it was
held that the right to privacy is a fundamental right as per the Constitution of
India. Based on this judgment, in 2017, the Ministry of Electronics and
Information Technology established a committee under the leadership of retired
Justice BN Srikrishna termed as the Srikrishna Committee. This committee was
responsible for drafting the bill for the protection of digital personal data.
Finally, after various discussions and sessions within the committee and in the
in August 2023, the bill was passed in both the housed and on August 11, 2023
the Digital Personal Data Protection Bill, 2023 was granted assent by the
President of India.
Applicability of the Bill
The applicability of the DPDP bill 2023 is based on territory in which the
personal data collected, is being processed.
This can be summarized in two scenarios namely:
Concept of Notice, Consent & Legitimate uses:
- Processing of Personal data within the territory of India: the provisions of the DPDP Bill shall apply to all personal data collected in the Digital form or digitized post collection if the processing of the same is to be done within the territory of India.
- The point to be noted here is that, if the data is collected in physical form and not digitized no provision of the bill applies. Though currently with the dependency on technology it is nearly impossible to process any data without it being digitized first.
- Processing of Personal Data outside the territory of India: in this scenario the DPDP bill is applicable only if the data being processed is being done in connection with any activity of goods and services to the data principals in India.
For every data Fiduciary to collect and process the personal data, it has to
take consent of the data principal to whom the data relates. The consent shall
be accompanied by or preceded with a notice which, will notify the principal of
the data being collected and the purpose of the processing.
Compliance for Data Fiduciaries:
- Notice: A notice in clear and plain language shall be accompanied or preceded to a request for consent. The notice, if requested, shall be made available in English or any of the 22 listed languages. The Notice shall contain:
- The personal data and the purpose for which the same is proposed to be processed.
- The manner to withdraw the consent.
- The manner to access the grievance redressal mechanism.
- Consent: A consent shall act as an agreement between the data principal and the data fiduciary for processing of personal data for the purposes as established by the notice. The notice shall also be plain/simple and should be available in all the languages as mentioned in the 8th Schedule, above which it shall contain the contact of the consent manager registered with the data protection board. The Data principal can at any time withdraw his consent, and in case of any dispute, the liability to prove the consent and notice was obtained shall lie on the data Fiduciary.
- Legitimate uses: The bill provides for certain uses/purposes for processing of personal data for which no consent is required to be taken if the data principal herself has voluntarily provided her personal data to the data fiduciary. The purposes thereby mentioned are termed as legitimate uses and include data processed for/by:
- Purpose of employment.
- By the state in the interest of the sovereignty and security of the state.
- Medical emergency and at the times of public emergency.
- For fulfillment of any obligation under any law in force in India.
Just an overview of the bill is enough to understand that the bill comes with
immense compliance requirements for a data fiduciary, the key compliance of the
data fiduciary includes:
- Take Responsibility of Compliance:
The data fiduciary itself is responsible to prove the compliance for consent, notice, etc. Thereby making it necessary for the data fiduciary to take the responsibility for the compliance, maintain a database of all the consents and notice as received from the data principals.
- Send Personal Data Breach Notification:
In case of any breach and a consequent leak of personal data, it is the responsibility of the data fiduciary to notify the breach to the Board as well as to the people affected from the breach.
- Develop Grievance Redressal Mechanism:
The first point of contact in case of any grievance shall be the data fiduciary itself; thereby, the data fiduciary shall appoint a consent manager to be a physical point of contact to address any grievances and also develop a robust IT system to redress any grievances that may arise.
- Take Appropriate Technical & Organizational Measures for Securing Data Security:
It is the responsibility of the data fiduciary to keep the data collected safe and shall apply appropriate technical measures to protect any potential breach.
- Technical Measures for Retention and Erasure of Data:
DPDP Bill brings heavy compliance for IT teams in the data fiduciaries; the IT team shall be responsible for all the technical measures such as creating a firewall to prevent any data leaks, maintenance of the database, and also for processing the request for retention and deletion of data.
A point to be noted here is that the data fiduciary itself shall be responsible
for making sure that the personal data collected is accurate, complete, and
Additional Obligations for Processing of Children's Data:
For any data fiduciary to process personal data related to a child wherein a
child is an individual who has not attained the age of 18 years, needs to take
care of additional obligations over and above the obligations as stated above.
These obligations are specially concerned with the booming ed-tech sector who is
involved in processing and utilizing large-scale children's data.
The obligations are as follows:
Transferring data beyond the Borders of India (Cross-Border Data Transfer)
- Obtain verifiable parent consent for child:
For processing of data of a child a consent from the parent or a legal guardian of the child needs to be taken by the fiduciary over which, the fiduciary if required to, shall also be able to verify the consent obtained from the parents.
- Targeted advertisement:
The data collected from a child cannot be used to bombard the child with targeted advertisement.
- No tracking:
The data obtained from the child once obtained cannot be tracked, this move has been associated with the fact that such tracking of targeted advertisement may have detrimental impact on the child's wellbeing.
With the emergence of third-Party Data Processors the risk of cross border
transfer of data to process the same increases substantially and the same was
addressed by the bill, in the draft bill as presented in 2022 and any such cross
border transfer was tightly governed. But in the final bill, a much more lenient
and freer path was opted for wherein a much more liberal view was accepted for
cross border transfer of data, with tight exceptions on transferring the data to
such countries as may be notified by the state.
This move comes in view of free sharing of data with friendly countries, whereas
to control the transfer of data to potentially riskier nations which may use the
data to target the Indian Data Principals.
For a data principal to avail his rights or in any case of breach from the data
fiduciary the following oversight mechanism has been established by the bill.
- A complaint shall be raised by the principal to the consent manager of the data fiduciary whose contact details are provided by the data fiduciary.
- A complaint if not resolved by the data fiduciary, it can be escalated to the Board.
- If the Principal is not content with the order as passed by the Data Protection board, an appeal lies with the appellate tribunal within 60 days of receiving the order from the Board.
- Finally, an appeal against the order of an Appellate Tribunal lies in the Honorable Supreme Court of India.
In conclusion, the Digital Personal Data Protection Bill 2023 is a significant
step forward in protecting the personal data and privacy of Indian citizens. It
is a much-needed upgrade from previous regulations and brings heavy compliance
on entities that process heavy personal data such as telecom industries and
education institutes. The bill introduces various new concepts and posts such as
a data protection officer, making it a mammoth task for the internal IT teams
within an entity.
The bill's key provisions, including its applicability to the processing of
digital personal data within India, make it a milestone in carving India's data
protection regime. Overall, the Digital Personal Data Protection Bill 2023 is a
comprehensive data protection regime that will go a long way in safeguarding the
personal data of Indian citizens.