The Digital Personal Data Protection Bill, 2023 successfully cleared the Lok Sabha hurdle on Monday. The bill highlights a comprehensive framework for data management responsibilities and individual rights while imposing substantial penalties on violators. The proposed legislation introduces a robust penalty structure, with organizations facing penalties ranging from a minimum of Rs 50 crore to a maximum of Rs 250 crore for breaches of data protection standards. The bill's purview extends to personal data collected within India, both online and offline, and even includes data processed outside India if it pertains to providing goods or services to Indian residents.
Union Communications, Electronics, and Information Technology Minister Ashwini Vaishnaw introduced the bill in the lower house on August 3. While the opposition called for a referral to the standing committee for review, Vaishnaw defended the bill, stating that it was a "normal bill" rather than a money bill.
Digital Personal Data Protection Bill Passed In Lok Sabha: Exemptions, Penalties, Fiduciaries, Everything You Need To Know
Key Highlights Of Digital Personal Data Protection Bill:
- Data Breach Protocol: Firms must promptly notify both the Data Protection Board (DPB) and affected users in case of a data breach.
- Special Consideration for Vulnerable Groups: Data concerning children and individuals with guardianship will only be processed with guardian approval.
- Data Protection Officer: Companies are required to designate a Data Protection Officer and provide this information to users.
- Protection of Personal Data: Companies that engage with user data, even through third-party processors, are mandated to ensure the protection of personal data.
- Penalty Determination: The DPB has the discretion to impose penalties based on the severity of breaches and the nature of compromised personal data.
- Repeat Offender Consequences: If violations of the DPB Bill occur multiple times, the DPB may recommend intermediary access restrictions to the government.
- Transborder Data Flow Restrictions: The central authority retains the power to restrict the transfer of personal data to foreign territories other than India.
- Appeals Process: Appeals against DPB rulings will be adjudicated by the Telecom Disputes Settlement and Appellate Tribunal.
- Regulatory Oversight: The DPB is empowered to conduct audits, summon witnesses, and inspect the records of organizations handling personal data.