Everything You Need to Know About the Digital Personal Data Protection Bill 2023

On the cusp of the 77th year of India’s Independence, India took a giant stride in the world of digital rights and cybersecurity.

On Friday, August 9, the President of India, Droupadi Murmu, endorsed the Digital Personal Data Protection Bill 2023, popularly known as the DPDP Bill 2023, after it saw widespread approval from both houses of the Parliament of India. This endorsement becomes a beacon of India’s evolving stance on the importance of data protection in this modern age.

This unanimous decision by the Rajya Sabha on August 9 was complemented by the Lok Sabha’s voice vote on August 7, emphasizing the collective acknowledgement of the bill’s significance.

While there were voices of opposition, the resounding majority demonstrated a keen understanding of the urgent need for robust data protection laws.

The DPDP Bill 2023 aims to strike a delicate yet essential balance. On one side, it champions the inherent rights of individuals to guard their most private digital assets – their personal data.

On the other, it recognizes that in the vast and interconnected digital world, certain lawful processes require access to this data. In its essence, the Digital Personal Data Protection Bill 2023 is designed as a shield and a guide.

As stated in the bill’s text, it is “A Bill to provide for the processing of digital personal data in a manner that recognizes both the right of individuals to protect their personal data and the need to process such personal data for lawful purposes and for matters connected therewith or incidental thereto.”

Salient Features of the Digital Personal Data Protection Bill 2023

India’s commitment to safeguarding the digital rights of its citizens has found a new expression in the Digital Personal Data Protection Bill, 2023, also referred to as the DPDP Bill 2023.

This Bill encapsulates a holistic approach toward data protection, emphasizing the equilibrium between individual rights and lawful data processing.

Key Highlights of the DPDP Bill 2023:

1. Definition and Protection of Digital Personal Data:
   • The Bill categorizes digital personal data as data through which an individual can be identified.
   • Obligations are placed on Data Fiduciaries (entities like persons, companies, and government bodies that process data) to ensure safe processing, which encompasses collection, storage, and other operations on personal data.
   • Rights and duties of the Data Principals (individuals to whom the data relates) are explicitly mentioned.
   • For any breach of these rights, duties, and obligations, financial penalties are imposed.
2. Bill’s Objectives:
   • Introducing a data protection law that ensures a balance between necessary change and minimal disruption.
   • Enhancing both the Ease of Living and the Ease of Doing Business in India.
   • Empowering the burgeoning digital economy and fostering the innovation ecosystem.
3. Seven Foundational Principles:
   • The bill stands on seven guiding principles:
     • Consented, lawful, and transparent use of personal data.
     • Purpose limitation.
     • Data minimization.
     • Data accuracy.
     • Storage limitation.
     • Incorporation of reasonable security safeguards.
     • Accountability through adjudication and penalties for breaches.
4. Innovative Features of the DPDP Bill 2023:
   • The Bill is crafted to be SARAL (Simple, Accessible, Rational & Actionable Law) using straightforward language, clear illustrations, minimal cross-referencing, and devoid of provisos.
   • In a significant move symbolizing inclusivity and gender sensitivity, the Bill uses “she” over the traditional “he”.
5. Rights Empowered to Individuals:
   • Individuals are endowed with rights such as access to their processed personal data, correction and erasure of data, grievance redressal, and the right to delegate someone for rights execution in case of death or incapacity.
   • Data Principals, if unsatisfied with a Data Fiduciary’s response, can approach the Data Protection Board.
6. Obligations of Data Fiduciaries:
   • Ensuring robust security safeguards.
   • Reporting personal data breaches to the Data Principal and the Data Protection Board.
   • Erasing data that’s no longer essential or upon withdrawal of consent.
   • Establishing a grievance redressal mechanism.
   • Special obligations for Significant Data Fiduciaries, which includes periodic Data Protection Impact Assessments.
7. Child Data Safeguarding:</strong>
   • Parental consent is mandatory for processing a child’s personal data.
   • Prohibitions on processes harmful to children, like their tracking, behavioral monitoring, or targeted advertising.
8. Bill Exemptions:
   • The DPDP Bill 2023 allows exemptions under specific scenarios, such as for research, legal rights enforcement, startups, and certain regulatory functions, among others.
9. Roles and Responsibilities of the Data Protection Board:
   • Directing remediation for data breaches.
   • Investigating breaches, addressing complaints, and imposing financial penalties.
   • Facilitating Alternate Dispute Resolution.
   • Advising the government on actions against non-compliant Data Fiduciaries.

In alignment with the Cybersecurity Bill India 2023, the Digital Personal Data Protection Bill 2023 paves the way for a future where every Indian’s digital rights are protected and upheld.

After six years in the making and multiple revisions, the DPDP Bill 2023, has finally come to fruition, marking a significant evolution in India’s approach to data privacy.

The Act provides much-needed clarity to both users and corporations, including the vibrant startup ecosystem, on data usage, personal data management, and consent parameters. However, its comparison to Europe’s GDPR reveals gaps, particularly in implementation specifics.

The Digital Personal Data Protection Act is a welcome step towards strengthening India's cybersecurity posture. The act provides a comprehensive framework for regulating the use of data by private businesses, and it will help protect Indian citizens from cyber threats and other misuse of their digital data. We are pleased that the act includes provisions for data localization, which will ensure that data stays within the country’s borders. This is essential for protecting Indian citizens' privacy and security, and it will also boost job creation within the security space. We look forward to working with the Government of India to implement the act and strengthen cybersecurity postures within the country.”

Sunil Sharma, Vice President – Sales India and SAARC, Sophos

The recently passed Digital Personal Data Protection (DPDP) Act by the government of India, is an important legislation that will provide much-needed clarity and certainty for businesses and individuals alike. It will aid in protecting data and privacy, while also promoting innovation and economic growth.  

As a global leader in cloud and data management services, NetApp offers solutions that enable enterprises to protect the privacy and security of their customers' data in the most efficient way. We believe that the DPDP Act is a positive step towards ensuring that data is managed responsibly and ethically. We look forward to working with the Government of India, our partners, and all relevant stakeholders to ensure data resiliency across sectors and operations.”

Puneet Gupta, Vice President & Managing Director, NetApp

“It is a moment of pride for us as the Digital Personal Data Protection (DPDP) Bill has been granted the President's assent and made into an Act. This is a major step forward for India in protecting the privacy of its citizens. Fulcrum Digital is committed to complying with the provisions of the Act and ensuring that we handle our customers' data responsibly. The Act sets forth a comprehensive framework for the collection, use, and sharing of personal data in India and empowers individuals to take action against businesses that misuse it. The Act also establishes a Data Protection Authority to enforce the law and protect the privacy of citizens. The passage of the DPDP Act is a major victory for privacy advocates in India. It is a sign that the government is committed to protecting the privacy of its citizens. Fulcrum Digital is looking forward to working in tandem with the government to implement the Act in an effort to respect the citizens it protects and empowers.”

Vaibhav Tare, CISO & Global Head – Cloud & Infrastructure Services, Fulcrum Digital Inc.

While the DPDP Act, 2023 has made certain amendments that simplify and provide greater clarity on cross-border data transactions and digital data applicability, concerns persist.

Furthermore, the challenges of keeping pace with rapidly evolving technologies, such as Generative AI, underscore the Act’s potential implementation obstacles.

However, on a brighter note, many in the startup ecosystem feel the Act is straightforward, promising a new age of responsible innovation and strengthened user relationships in India’s digital landscape.

The assent from President Droupadi Murmu to the DPDP Bill 2023 signifies the government’s commitment to data protection.

But as India stands on the brink of what many perceive as a ‘privacy revolution’, the true effectiveness of this legislation in upholding the sanctity of data privacy, particularly in comparison to global standards like GDPR, remains to be seen.

Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.