The Parliament on Wednesday cleared the Digital Personal Data Protection Bill (DPDPB), 2023. The Rajya Sabha passed the bill days after it was cleared in the Lok Sabha. The bill was passed in the Upper House by a voice vote amid sloganeering by the Opposition. The bill would be sent to President Draupadi Murmu for assent after which it would become a law.
The DPDPB comes six years after the Supreme Court (SC) declared that the "Right to Privacy" was a fundamental right.
Union minister for Electronics and Information Technology Ashwini Vaishnaw mentioned that the DPDPB laid down several obligations on private and government entities on the collection and processing of every citizen's data.
Also read: iPhone 15 Series To Bid Adieu To Lightning Cable In Favour Of USB Type-C Charging?
“Under this bill, individuals using digital services have been given more power and more obligations have been imposed on companies using data of individuals. There has been a lot of consultation on the bill and then it has been presented before the House."
One of the key highlights of the bill is that businesses and companies can't process personal user data without their explicit consent. The bill has done away with jail terms and criminal penalties, envisioned under the older versions. The DPDPB also suggests a penalty of up to Rs 250 crore per instance of data breach and a maximum penalty of Rs 500 crore for all such breaches.
Unlike the approach of major data jurisdictions, for example in the European Union (EU), the bill has also moved to a "blacklisting" approach for cross-border processing of personal data and transfer. This simply means that Centre would determine certain regions where data cannot be processed, unlike in the EU where the approach is to identify and whitelist regions that follow and implement adequate legal standards for processing data within their geographies.
According to Rajeev Chandrasekhar, the MoS for Electronics and Information Technology, the DPDPB intends to safeguard the rights of all citizens while fostering the growth of the innovation economy. He had earlier said that the bill would enable the government's lawful and legitimate access in matters of national security and calamities, such as earthquakes and pandemics.
It is based on similar underlying principles which are the basis of personal data protection laws in other jurisdictions including the General Data Protection Regulation (GDPR). These include lawfulness, fairness and transparency, purpose limitation, data minimisation, accuracy, storage limitation, integrity, confidentiality and accountability. Fundamentally, the bill is based on sound principles and envisions to safeguard data privacy without overburdening businesses.