New Delhi: From hefty penalties ranging from a minimum of Rs 50 crore to a maximum of Rs 250 crore on social media platforms for violating rules to enabling digital markets to grow more responsibly while safeguarding citizens’ data, the Digital Personal Data Protection Bill, 2023 was cleared on Monday by the Lok Sabha and will go to the Rajya Sabha now.
The Bill envisages the creation of a Data Protection Board of India. Since the structure of the Board is to be notified after enactment of the Bill, at this stage, the financial implications of setting up and functioning of the Board is estimated to be about Rs 25 crore towards initial capital expenditure and Rs 10 crore annually for recurring expenditure.
The said expenditure is to be incurred from and out of the Consolidated Fund of India.
The Board has the authority to summon and examine individuals under oath, inspect documents of companies handling personal data, and recommend blocking access to intermediaries that repeatedly breach the Bill’s provisions.
The Data Protection Bill will assess penalties based on the nature and severity of the breach, with potential fines of up to Rs 250 crore for instances of data breaches, failure to protect personal data, or failure to inform the Board and users of a breach.
The Bill will apply to the processing of digital personal data within India where such data is collected online, or collected offline and is digitised. It will also apply to such processing outside the country, if it is for offering goods or services in India.
Personal data may be processed only for a lawful purpose upon consent of an individual. Consent may not be required for specified legitimate uses such as voluntary sharing of data by the individual or processing by the state for permits, licences, benefits, and services.
Data fiduciaries will be obligated to maintain the accuracy of data, keep data secure, and delete data once its purpose has been met.
The Bill grants certain rights to individuals, including the right to obtain information, seek correction and erasure, and grievance redressal.
The Centre may exempt government agencies from the application of provisions of the Bill in the interest of specified grounds such as security of the state, public order, and prevention of offences.
According to Manish Sehgal, Partner, Risk Advisory, Deloitte India, once enacted, the Bill will enhance the privacy cognisance of Indian citizens by empowering them with their privacy rights through transformative accountability measures to be adopted by the enterprises.
Hemant Krishna, Partner, Shardul Amarchand Mangaldas & Co, said with the strides made by AI, personal data can be processed with unprecedented velocity and sophistication.
“Ironically, despite the volume and variety of personal data in India, due to the absence of a proper privacy framework, citizens have not had sufficient control over their data and businesses have struggled to find legitimate ways to collect and process personal data. That is all set to change when the DPDP Bill becomes law,” Krishna said.
The Bill brings in the much-needed legal framework to foster trust in digital markets. On one hand, it protects the privacy of Indian digital citizens and on the other, it enables digital markets to grow more responsibly.
“In the short run, the Act will increase the compliance burden of smaller firms. With the passage of time, however, such compliance becomes standard. Moreover, this framework will increase the trust of users in newer and lesser-known firms. Thus, small firms need not fear the compliance cost,” said Vikas Kathuria, Associate Professor, School of Law, BML Munjal University.
However, since the Bill does not differentiate between personal data and critical/sensitive personal data, it will be interesting to see how compliances unfold at a pan-India level.
“Especially, since notice and consent requirements will trigger even when name and phone number/e-mail ids are collected. This is a paradigm shift from the existing data protection rules which trigger compliances only for sensitive personal data,” said Huzefa Tavawalla, Head, Disruptive Technologies practice group, Nishith Desai Associates.
In the event of a data breach, companies are mandated to promptly inform the Data Protection Board (DPB) and the affected users.
Processing data of minors and individuals with guardians must be done only with the consent of guardians, according to the Bill.
Companies are required to appoint a Data Protection Officer and share their contact details with the users.
(IANS)