President Gives Assent To Digital Personal Data Protection Act 2023

The President has given assent to the new the Digital Personal Data Protect, Act 2023 on Friday. The Act will come into force on the date to be notified by Centre.

It is a first law made for processing data and amends various legislations including Right to Information Act and IT Act. It will come into force on such date as the Central Government may announce by notification.

The Bill seeks “to provide for the processing of digital personal data in a manner that recognises both the right of individuals to protect their personal data and the need to process such personal data for lawful purposes.”

It applies to the processing of digital personal data within the territory of India where the personal data is collected in digital form or in non-digital form and digitised subsequently.

It also applies to processing of digital personal data outside the territory of India, if such processing is in connection with any activity related to offering of goods or services “to Data Principals within the territory of India.”

“Data Principal” is defined as the individual to whom the personal data relates.

According to the Bill, the personal data can be processed only after taking the consent and for certain “legitimate uses”. “Personal data” is defined under the Bill as “any data about an individual who is identifiable by or in relation to such data.”

It empowers the central government to exempt government agencies from the application of provisions of the Bill in the interest of specified grounds such as security of the state, public order, and prevention of offences.

The Bill requires establishment of the Data Protection Board of India by the central government. It will monitor compliance and imposition of penalties, direct data fiduciaries to take necessary measures in the event of a data breach and hear grievances made by affected persons.

Penalties are also provided for various offences such as for non-fulfilment of obligations for children upto Rs 200 crore, and for failure to take security measures to prevent data breaches, upto Rs 250 crore.

The Bill requires that the request for the consent should be accompanied or preceded by a notice to inform the purpose for which the personal data is proposed to be processed.It also grants certain rights to individuals including the right to obtain information, seek correction and erasure, and grievance redressal.

Use Of Personal Data For Certain “Legitimate Use”

A “Data Fiduciary”, means any person who alone or in conjunction with other persons determines the purpose of processing of personal data, can process the personal data for the following purposes.

For the specified purpose for which the person has voluntarily provided her personal data to the Data Fiduciary.

For the performance by the State or any of its instrumentalities of any function under any law for the time being in force in India or in the interest of sovereignty and integrity of India or security of the State.

To provide or issue subsidy, benefit, service, certificate, licence or permit wherein the person has previously consented or available from “any database” maintained by the government as notified by the Central Government.

Notably, the parliament has recently passed the Registration of Birth and Death Bill which mandates for maintenance of database of registered births and deaths” “at the National level.”

It further adds that the personal data can also be used for the performance by the State or any of its instrumentalities of any function under any law for the time being in force in India or in the interest of sovereignty and integrity of India or security of the State.

Personal Data can also be processed for fulfilling any obligation under any law for the time being in force in India on any person to disclose any information to the State or any of its instrumentalities, subject to such processing being in accordance with the provisions regarding disclosure of such information in any other law for the time being in force.

It can also be used to comply with any judgment or decree or order issued under any law for the time being in force in India, or any judgment or order relating to claims of a contractual or civil nature under any law for the time being in force outside India.

Also, for responding to a medical emergency involving a threat to the life or immediate threat to the health of the Data Principal or any other individual, or during an epidemic and for taking safety measures during any disaster, or any breakdown of public order.

Privacy activists have voiced concerns about the potential misuse of personal data under the guise of provisions like “interest of sovereignty and integrity of India” or “Security of State.” The Bill does not require for deleting of the data after processing for the specific purposes.

The amendment in the Right to Information Act will remove the provision for seeking "personal information" even if it is in the interest of public.

Click Here To Read/Download The Notification