What is Digital Personal Data Protection Bill, (DPDP Bill) 2023?An overview

Leave a Comment / compliance and regulations, cybersecurity definitions

The Digital Personal Data Protection Bill (DPDP) 2023 is a landmark legislation in India that aims to protect the privacy of individuals’ personal data. The bill was passed by the Lok Sabha and Rajya Sabha in August 2023 and is awaiting assent from the President.

What is DPDP Bill 2023, India’s New data protection law?

The Digital Personal Data Protection Bill, 2023 was introduced in Lok Sabha on August 3, 2023. A robust framework for data protection from in India, DPDP Bill has provisions to protect rights of ALL citizens. The DPDP bill introduces a number of new concepts and provisions for the protection of personal data, including:

  • The definition of “personal data” is expanded to include any information that can be used to identify an individual, including biometric data, genetic data, and online identifiers.
  • Data fiduciaries (entities that collect and process personal data) are subject to a number of obligations, including obtaining consent from individuals before collecting their personal data, using personal data only for the purposes for which it was collected, and protecting personal data from unauthorized access, use, or disclosure.
  • Individuals are granted a number of rights with respect to their personal data, including the right to access, correct, delete, port, and restrict the processing of their personal data.
  • The DPDP bill 2023 establishes a Data Protection Authority (DPA) to oversee compliance with the law and to investigate and resolve complaints about data privacy violations.

The DPDP bill is a significant step forward for data protection in India. It is a comprehensive and modern law that is designed to protect the privacy of individuals’ personal data. The bill is also aligned with international standards for data protection, such as the European Union’s General Data Protection Regulation (GDPR).

Key regulatory points of the DPDP Bill 2023

The DPDP Bill 2023 is a comprehensive law that covers a wide range of aspects of data protection. However, there are a few sections that are particularly important, including:

  • Section 3: This section defines the key terms used in the bill, such as “personal data,” “data fiduciary,” and “data processor.”
  • Section 4: This section sets out the principles that data fiduciaries must follow when collecting and processing personal data. The principles of data protection encompass the ideas of legality, justice, clarity, limiting data to its intended purpose, reducing the volume of data, ensuring its precision, limiting its storage time, maintaining its integrity and secrecy, and ensuring responsibility.
  • Section 13: This section sets out the rights of individuals with respect to their personal data. These rights include the right to access, correct, delete, port, restrict, and object to the processing of their personal data.
  • Section 24: This section establishes the Data Protection Authority (DPA), which is an independent body that will be responsible for overseeing compliance with the DPDP Bill and investigating and resolving complaints about data privacy violations.
  • Section 37: This section sets out the penalties for violating the DPDP Bill. These penalties can be severe, including fines of up to INR 1 crore (USD 1.3 million) or imprisonment for up to three years, or both.

These are just a few of the important sections of the DPDP Bill 2023. The bill is comprehensive and complex, and it is important to read the entire bill to understand its full implications.

DPDP Bill 2023 Accountability

The DPDP Bill 2023 places a strong emphasis on accountability for data fiduciaries. Data fiduciaries are entities that collect and process personal data. The bill requires data fiduciaries to be accountable for their actions, and to take steps to protect the privacy of individuals’ personal data.

The DPDP Bill 2023 defines accountability as “the responsibility of a data fiduciary to comply with the provisions of this Act and the rules made thereunder.” Data fiduciaries must take all reasonable steps to comply with the bill, and they must be able to demonstrate that they have done so.

The DPDP Bill 2023 sets out a number of specific requirements for data fiduciaries to demonstrate accountability. For example, data fiduciaries must:

  • Have a data protection policy in place.
  • Appoint a data protection officer (DPO).
  • Conduct data protection impact assessments (DPIAs).
  • Implement appropriate technical and organizational measures to protect personal data.
  • Respond to data subject requests.
  • Report data breaches to the Data Protection Authority (DPA).

The DPDP Bill 2023 also provides for a number of enforcement mechanisms to ensure that data fiduciaries are accountable. The DPA has the power to investigate and take action against data fiduciaries that violate the bill. The DPA can issue orders to data fiduciaries to comply with the law, and it can impose fines on data fiduciaries for violations of the law.

The DPDP Bill 2023’s focus on accountability is a significant step forward for data protection in India. The bill places the responsibility for protecting personal data on the entities that collect and process it. This will help to ensure that individuals’ personal data is protected, and that data fiduciaries are held accountable for their actions.

Data Security Measures Under DPDP Bill 2023

The DPDP Bill 2023’s data security measures are designed to protect personal data from unauthorized access, use, disclosure, alteration, or destruction. These measures are necessary to ensure the privacy and security of individuals’ personal data.

The DPDP Bill 2023 sets out a number of data security measures that data fiduciaries must implement to protect personal data. These measures include:

  • Implementing appropriate technical and organizational measures to protect personal data: Data fiduciaries must implement appropriate technical and organizational measures to protect personal data from unauthorized access, use, disclosure, alteration, or destruction. These measures should be commensurate with the risk of harm to individuals from unauthorized access, use, disclosure, alteration, or destruction of their personal data.
  • Maintaining a record of all processing activities: Data fiduciaries must maintain a record of all processing activities carried out by them or on their behalf. This record must include information such as the purpose of processing, the categories of personal data processed, the recipients of personal data, and the safeguards in place to protect personal data.
  • Appointment of a data protection officer (DPO): Data fiduciaries that process personal data on a large scale or that process sensitive personal data must appoint a DPO. The DPO is responsible for overseeing compliance with the DPDP Bill and for advising data fiduciaries on data protection matters.
  • Conducting data protection impact assessments (DPIAs): Data fiduciaries that intend to process personal data in a way that is likely to result in a high risk to the rights and freedoms of individuals must conduct a DPIA. A DPIA is a process for identifying, assessing, and mitigating the risks to individuals’ rights and freedoms from the processing of their personal data.
  • Responding to data subject requests: Data fiduciaries must respond to data subject requests in a timely and meaningful manner. Data subject requests can include requests for access to personal data, requests for correction of personal data, requests for deletion of personal data, and requests to restrict the processing of personal data.
  • Reporting data breaches to the Data Protection Authority (DPA): Data fiduciaries must report data breaches to the DPA within 72 hours of becoming aware of the breach. A data breach is any incident that results in the unauthorized access, use, disclosure, alteration, or destruction of personal data.

When you’re allowed to process data under DPDP Bill 2023?

The DPDP Bill 2023’s provisions on the processing of personal data are designed to balance the interests of data fiduciaries with the rights of data subjects. The bill allows data fiduciaries to process personal data for legitimate purposes, but it also protects the privacy of data subjects by requiring data fiduciaries to obtain consent and to comply with a number of other restrictions.

The DPDP Bill 2023 sets out a number of conditions under which data fiduciaries are allowed to process personal data. These conditions include:

  • Consent: Data fiduciaries may process personal data only with the consent of the data subject. Consent must be freely given, specific, informed, and unambiguous.
  • Legitimate interests: Data fiduciaries may process personal data without consent if it is necessary for the legitimate interests of the data fiduciary or a third party, unless the interests or fundamental rights and freedoms of the data subject override those legitimate interests.
  • Performance of a contract: Data fiduciaries may process personal data without consent if it is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract.
  • Legal obligation: Data fiduciaries may process personal data without consent if it is necessary to comply with a legal obligation to which the data fiduciary is subject.
  • Public interest: Data fiduciaries may process personal data without consent if it is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the data fiduciary.
  • Statutory exemption: Data fiduciaries may process personal data without consent if it is necessary for the purposes of a statutory exemption.

The DPDP Bill 2023 also sets out a number of specific restrictions on the processing of personal data. For example, data fiduciaries may not process personal data for the purposes of direct marketing without the consent of the data subject.

DPDP Bill 2023 Scope, penalties, and key definitions

What are the key provisions of DPDP Bill 2023?

The DPDP Bill is a comprehensive law that covers a wide range of aspects of data protection. Here are some of the key provisions of the bill:

Definition of personal data

The DPDP Bill defines “personal data” as any information that relates to an identifiable individual, whether directly or indirectly, and that is processed in digital form or is intended to be processed in digital form. This definition is broad and includes a wide range of information, such as names, addresses, phone numbers, email addresses, financial information, biometric data, and genetic data.

Obligations of data fiduciaries

The DPDP Bill imposes a number of obligations on data fiduciaries, which are entities that collect and process personal data. These obligations include:

  • Obtaining consent from individuals before collecting their personal data.
  • Using personal data only for the purposes for which it was collected.
  • Protecting personal data from unauthorized access, use, or disclosure.
  • Providing individuals with access to their personal data and the opportunity to correct it.
  • Deleting personal data upon request from individuals.
  • Reporting data breaches to the Data Protection Authority (DPA).

Rights of individuals

The DPDP Bill 2023 grants individuals a number of rights with respect to their personal data, including:

  • The right to access their personal data.
  • The right to correct their personal data.
  • The right to delete their personal data.
  • The right to port their personal data to another data fiduciary.
  • The right to restrict the processing of their personal data.
  • The right to object to the processing of their personal data.

Data Protection Authority (DPA)

The DPDP Bill 2023 establishes a Data Protection Authority (DPA) to oversee compliance with the law and to investigate and resolve complaints about data privacy violations. The DPA will have a wide range of powers, including the power to:

  • Issue orders to data fiduciaries to comply with the law.
  • Impose fines on data fiduciaries for violations of the law.
  • Suspend or revoke the licenses of data fiduciaries that violate the law.

The DPDP Bill is a comprehensive and modern law that is designed to protect the privacy of individuals’ personal data. The bill is also aligned with international standards for data protection, such as the European Union’s General Data Protection Regulation (GDPR).

However, the DPDP bill has also been criticized for some of its provisions. For example, the bill allows the government to access personal data without consent in certain circumstances, such as for national security purposes. Additionally, the bill does not provide for a private right of action, meaning that individuals cannot sue data fiduciaries for damages if their personal data is violated.

History and Timeline of the DPDP Bill 2023

July 27, 2018

PDP Bill Draft

The Ministry of Electronics and Information Technology (MeitY) releases a draft of the Personal Data Protection Bill (PDP Bill). This is the first time that the government has proposed a comprehensive law on data protection in India.

July 27, 2018
November 12, 2019

PDP Bill Draft in Lok Sabha

The PDP Bill is introduced in the Lok Sabha, the lower house of the Indian Parliament. This was a significant milestone, as it meant that the bill was now being considered by the Indian Parliament.

November 12, 2019
January 1, 2019

The PDP Bill is referred to a parliamentary committee

The PDP Bill is referred to a parliamentary committee for further study. . This is a common practice in the Indian Parliament, as it allows the committee to review the bill in detail and make recommendations for changes.

January 1, 2019
January 1, 2019

The parliamentary committee submits its report on the PDP Bill

The parliamentary committee submits its report on the PDP Bill. The report includes a number of recommendations for changes to the bill, including strengthening the penalties for data privacy violations.

January 1, 2019
January 1, 2019

Revised draft of the PDP Bill

The government releases a revised draft of the PDP Bill. This draft incorporates the recommendations of the parliamentary committee.

January 1, 2019
January 1, 2019

The PDP Bill is passed by the Lok Sabha and Rajya Sabha

The PDP Bill is passed by the Lok Sabha and Rajya Sabha, the upper house of the Indian Parliament. This is a major milestone, as it means that the bill has been approved by both houses of the Indian Parliament.

January 1, 2019
January 1, 2019

The PDP Bill is awaiting assent from the President

The PDP Bill is awaiting assent from the President. This is the final step before the bill becomes law.

January 1, 2019

Who does DPDP Bill 2023 Apply To?

The DPDP Bill 2023 pertains to the handling of personal digital data in India, encompassing both online and offline digitized information. It also covers data processing done outside India when related to providing goods or services to Indians

How India DPDP Bill Will be Applied?

The DPDP Bill will apply to the processing of digital personal data within India where such data is collected online, or collected offline and is digitised. The bill defines “digital personal data” as any information that relates to an identifiable individual, whether directly or indirectly, and that is processed in digital form or is intended to be processed in digital form.

The DPDP Bill will apply to a wide range of entities that process digital personal data, including:

  • Government agencies
  • Private businesses
  • Non-profit organizations
  • Individuals

The DPDP Bill will require these entities to comply with a number of obligations, including:

  • Obtaining consent from individuals before collecting their personal data
  • Using personal data only for the purposes for which it was collected
  • Protecting personal data from unauthorized access, use, or disclosure
  • Providing individuals with access to their personal data and the opportunity to correct it
  • Deleting personal data upon request from individuals
  • Reporting data breaches to the Data Protection Authority (DPA)

The DPDP Bill also grants individuals a number of rights with respect to their personal data, including:

  • The right to access their personal data
  • The right to correct their personal data
  • The right to delete their personal data
  • The right to port their personal data to another data fiduciary
  • The right to restrict the processing of their personal data
  • The right to object to the processing of their personal data

The DPDP Bill establishes a Data Protection Authority (DPA) to oversee compliance with the law and to investigate and resolve complaints about data privacy violations. The DPA will have a wide range of powers, including the power to:

  • Issue orders to data fiduciaries to comply with the law
  • Impose fines on data fiduciaries for violations of the law
  • Suspend or revoke the licenses of data fiduciaries that violate the law

The DPDP Bill is a comprehensive and modern law that is designed to protect the privacy of individuals’ personal data. The bill is also aligned with international standards for data protection, such as the European Union’s General Data Protection Regulation (GDPR).

Here are some specific examples of how the DPDP Bill will apply to the processing of digital personal data within India:

  • A company that collects personal data from its customers online will need to obtain consent from those customers before collecting their data. The company will also need to use the data only for the purposes for which it was collected, and it will need to protect the data from unauthorized access, use, or disclosure.
  • A government agency that collects personal data from its citizens will need to comply with the DPDP Bill’s obligations, even if the data is collected offline. The agency will need to obtain consent from its citizens before collecting their data, and it will need to use the data only for the purposes for which it was collected.
  • An individual who collects personal data from others for a research project will need to comply with the DPDP Bill’s obligations. The individual will need to obtain consent from the individuals whose data is being collected, and it will need to use the data only for the purposes of the research project.

The DPDP Bill is a significant step forward for data protection in India. It is a comprehensive and modern law that is designed to protect the privacy of individuals’ personal data. The bill is also aligned with international standards for data protection, such as the European Union’s General Data Protection Regulation (GDPR).

The DPDP Bill is still a work in progress and it could be amended before it is finally enacted into law. However, the bill, as it is currently drafted, represents a major advancement in data protection in India.

About The Author

Team ZCySec strives to simplify complex cyber security concepts and provide practical tips and advice that readers can use to protect themselves against online threats. Whether it's through blog posts, white papers, or other types of content, our 'security awareness' team is committed to helping readers understand the importance of cyber security and how they can safeguard their digital lives.

Leave a Comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Scroll to Top