Digital Personal Data Protection Bill, 2023: Here Are The Top 8 Changes

The Union government introduced the Digital Personal Data Protection Bill, 2023, before the Lok Sabha on Thursday, with several key changes to the earlier draft.

An earlier version of the proposed law was circulated for public consultation in November 2022.

Last year's version faced severe criticism for giving extensive rule-making powers to the central government while giving wide exemptions to itself. Businesses had complained about onerous provisions on cross-border data transfer.

The 2023 Bill represents India’s fourth attempt at a comprehensive data privacy law after the Supreme Court’s recognition of the right to privacy as a fundamental right. An earlier version of the Bill was withdrawn from Parliament in August 2022.

Here are some of the key changes under the new bill:

The Digital Personal Data Protection Bill, 2022, covered the processing of digital personal data within India where:

• Personal data is collected from data subjects online.

• And personal data collected offline is digitised.

The 2023 version hasn't made any changes to this. But the definition of "processing" has been tweaked to include data that has been wholly or partly automated.

The second key change in scope has to do with profiling that happens outside India.

According to the 2022 version, any offshore entity processing—for example, profiling—of data pertaining to data principals in India would be subject to the law.

The 2023 version has removed the extraterritorial application of the Bill in cases of "profiling" happening overseas.

According to the Bill, profiling means processing personal data that analyses or predicts aspects concerning the behaviour, attributes, or interests of an individual for the provision of goods and services in India.

The current Bill uses a blacklisting system as opposed to the earlier one, which only permitted the transfer of personal data to locations notified by the government.

Companies processing personal data will now be allowed to transfer data to any other nation for processing as long as it is not restricted by the central government.

The central government, under the 2023 Bill, will have the power to block public access to any information hosted on a computer source as long as it is in the public interest. No such provision existed in the 2022 version.

The Data Protection Board, constituted under the Act, will have advisory power to make recommendations for blocking public access to a computer resource or a platform. The Board can make such a recommendation if the data fiduciary has faced monetary fine on more than two instances.

This provision further solidifies the state's blocking powers, as recognised by the Karnataka High Court in the Twitter case.

The new Bill doesn't do away with deemed consent; however, it has rebranded the clause to be applicable to certain legitimate uses. Under the new bill, data can be processed without explicit consent as long as it's given voluntarily and is for a "legitimate purpose" provided under the Bill. Consent under the new bill is deemed to be given:

• Where the individual has not explicitly indicated that she does not consent

• For the issue of subsidies, benefits, services, certificates, licences, permits, etc., as long as such consent was previously obtained by a state instrumentality for the purpose and the data is available digitally.

• In the interest of the sovereignty and Integrity of India and the security of the state

• To comply with a judgement or degree

• For responding to a medical emergency of the individual or anyone else.

• For taking measures to ensure the safety of, or provide assistance or services to, any individual during any disaster.

• To provide health services to any individual during an epidemic, outbreak of disease, or any other threat to public health

The extent of the consent, however, is limited under the new bill. The data can only be processed for the specific purpose for which it is deemed to be given and must be necessary for fulfilling the purpose.

For instance, an individual sharing his phone number at a restaurant to reserve seats would reasonably expect such data to be processed for the booking of tables, which is therefore a reasonable use.

However, the restaurant wouldn't be able to retain the data and use it for future purposes once its purpose is served. This means that once the Bill comes into force, businesses will no longer be able to make the defense that the individual has voluntarily given up the data if the data is being used for purposes not reasonably expected. This will help prevent the large-scale misuse of data by businesses for promotional purposes.

Additionally, the new Bill also removes the public interest grounds for which data was deemed to be given, such as prevention or detection of fraud, network and information security, processing of publicly available data, etc.

To reduce compliance for newly formed businesses, the 2023 version of the Bill empowers the central government to exempt certain categories of businesses from compliance, including startups.

Startups are entities that are recognised by the Ministry of Commerce and Industry.

The proposal is to exempt them from the requirements of:

• Providing a notice prior to obtaining consent for data processing

• ensuring the completeness, accuracy, and consistency of personal data when it is disclosed to another data fiduciary.

• Erasing the data as soon as its purpose is served.

• Being classified as a Significant Data Fiduciary and the obligations that come with it.

• Honouring requests for data access by data principals

The 2022 Bill allowed individuals to approach the Data Protection Board in case of a data breach.

The 2023 version takes a more complicated approach to grievance redressal and provides for a tiered mechanism.

Individuals aggrieved under the law will be required to first approach the grievance redressal mechanism provided by the data fiduciary.

Once they have exhausted this option, they will be allowed to approach the Data Protection Board. Appeals from the Data Protection Board will lie before the Telecom Disputes Settlement and Appellate Tribunal.

The earlier draft provided significant penalties for non-compliance. The penalty for breach or non-compliance was as high as Rs 250 crore and could even be up to Rs 500 crore if it was a significant one.

The 2023 Bill, however, does not include enhanced penalties for significant breaches. This means the penalty in no case can go beyond Rs 250 crore. It would further depend on the gravity, duration, and repetitiveness of the violation.

The new Bill also penalises any breach of a voluntary undertaking provided by the company to the Data Protection Board.

A voluntary undertaking is an undertaking by a person to take or not take a particular action in respect of a breach. Any non-compliance with the undertaking would be deemed to be a breach of the Act itself.

The 2022 draft provided the Board with protection from prosecution, suit, or legal proceedings as long as it was done in good faith.

The new Bill extends immunity to the government as well. Any action taken by the central government that is done or intended to be done in good faith will be protected from prosecution.

Besides the above changes, the government has further brought clarity to the composition and function of the Data Protection Board, which was earlier left to delegated legislation.

There is, however, no change to the rule-making powers vested in the central government. The procedure and manner of implementation of the proposed law have been largely left to the rules prescribed by the government.