Lok Sabha to consider and pass Digital Personal Data Protection Bill today
As per the latest news, the Lok Sabha, the lower house of the Indian Parliament, is scheduled to discuss and vote on the Digital Personal Data Protection (DPDP) Bill, 2023 on Monday. The bill aims to address concerns related to the protection and regulation of personal data in the digital realm.
The DPDP Bill, 2023, is a significant legislative proposal aimed at safeguarding the privacy and security of individuals’ personal information in the digital age. It aims to establish a framework for collecting, processing, and storing personal data while also defining the responsibilities and obligations of data fiduciaries and data processors.
The bill is expected to undergo thorough deliberations and discussions in the Lok Sabha before it can be passed into law. The outcome of the parliamentary debate will determine the fate of the DPDP Bill and its potential implications for the Indian digital landscape, businesses, and citizens’ data privacy rights.
On August 3, the Digital Personal Data Protection Bill, 2023 was introduced in the Indian Parliament by Union Communications, Electronics, and Information Technology Minister Ashwini Vaishnaw. During the introduction of the bill, the minister clarified that it is not categorized as a money bill, which means it will be subject to debate and discussion in both houses of Parliament.
In response to concerns raised by the opposition regarding the bill’s provisions and implications, Minister Vaishnaw assured that all the issues and questions raised would be addressed and clarified during the parliamentary debate on the bill. This implies that there will be a comprehensive discussion on various aspects of the proposed legislation, and the government will provide responses to the concerns raised by the opposition and other stakeholders.
The introduction of the Digital Personal Data Protection Bill, 2023 marks a crucial step in regulating and safeguarding personal data in the digital domain. As it progresses through the parliamentary process, its provisions and potential impact on data privacy and security in India will be subject to thorough examination and scrutiny by lawmakers, leading to potential amendments and improvements to the bill before it becomes law.
The Digital Personal Data Protection Bill aims to establish a comprehensive framework for handling digital personal data, acknowledging the importance of individual privacy rights while also recognizing the legitimate need for lawful data processing.
The bill provides guidelines for the proper processing of digital personal data, ensuring that individuals’ information is safeguarded and used responsibly. It emphasizes the need to process personal data for lawful purposes, which implies that data collection, storage, and usage must be carried out in compliance with relevant laws and regulations.
One of the crucial aspects addressed in the bill is the definition of a personal data breach. It characterizes a breach as any unauthorized processing of personal data or accidental incidents involving disclosure, acquisition, sharing, use, alteration, destruction, or loss of access to personal data. Such breaches could compromise the confidentiality, integrity, or availability of personal data, posing a risk to individuals’ privacy and security.
By defining and addressing personal data breaches, the bill aims to enhance data protection measures and encourage organizations and entities to implement robust security measures to prevent unauthorized access or misuse of personal data. This proactive approach can lead to more effective data protection practices and reinforce individuals’ confidence in the handling of their digital personal data.
Once the Digital Personal Data Protection Bill is approved by Parliament and becomes law, it will have a broad scope and applicability to various forms of personal data processing within and outside India.
The proposed norms will apply to personal data collected within India, whether it is obtained from data principals (individuals) online or through offline means but subsequently converted into digital format. This means that data controllers and processors operating within the country will be required to comply with the prescribed regulations when handling personal data.
Furthermore, the bill extends its jurisdiction to the processing of personal data outside India if it is done for the purpose of offering goods or services to individuals in India. This means that foreign companies or entities that process personal data of Indian individuals as part of their business operations will also need to adhere to the data protection provisions outlined in the Act.
However, there are certain exemptions to the application of the proposed provisions. The Act does not cover personal data processed by an individual for personal or domestic purposes. For instance, if an individual shares personal data on their social media blog for personal expression or non-commercial purposes, the data protection regulations will not apply to such activities.
Similarly, the proposed provisions also do not apply to personal data that data principals themselves make publicly available. For instance, if a blogger willingly shares their personal data publicly on their blog, the Act will not regulate the processing of such data, as it has been voluntarily disclosed by the data principal.
These exemptions are aimed at ensuring that the Act focuses on regulating data processing activities conducted for commercial or organizational purposes and does not unduly restrict personal or non-commercial use of data by individuals.
Under the Digital Personal Data Protection Bill, personal data can only be processed for specific lawful purposes, and it requires the consent of the individual whose data is being processed. Additionally, there are certain legitimate uses for which personal data can be processed without explicit consent.
For instance, in the case of a bank processing customer KYC (Know Your Customer) data, they would need to provide a notice to the individual concerned, informing them about the data being collected, the purpose of processing, and obtaining their consent for the same. This notice is often referred to as a privacy notice or data processing notice.
The privacy notice must be clear, concise, and easily accessible to the individual, allowing them to make informed decisions about the use of their personal data. It should detail the types of data being collected, the purpose for which the data is being processed, any third parties involved in data sharing, and the individual’s rights regarding their data.
By providing a privacy notice and obtaining explicit consent from the individual, the bank ensures compliance with data protection regulations and respects the individual’s right to control their personal data. This principle of informed consent and notice is a crucial aspect of data protection laws worldwide, including the Digital Personal Data Protection Bill in India.
According to data protection principles, the consent of the individual must be obtained through clear affirmative action, indicating their agreement to the processing of their personal data for the specific purpose outlined in the privacy notice.
Regarding the opposition to the Digital Personal Data Protection Bill, many members from the Opposition have expressed strong reservations about the bill, asserting that it violates the fundamental right to privacy. They argue that the proposed provisions in the bill might have implications on individuals’ privacy rights, and thus, it requires more comprehensive scrutiny.
The opposition members’ demand to refer the bill to the standing committee for further examination is a common parliamentary practice to ensure that proposed legislation is thoroughly evaluated, and all concerns are addressed before it becomes law. This would involve in-depth discussions, gathering inputs from various stakeholders, and potentially making amendments to the bill to address any shortcomings or issues raised during the scrutiny process.
Their assertion that the government had withdrawn a previous data protection bill last year and the new bill necessitates more scrutiny highlights the need for a comprehensive and well-thought-out data protection framework that ensures the protection of individuals’ privacy rights while promoting responsible data usage.
The bill’s fate now depends on how the government responds to the opposition’s demands and whether it agrees to refer the bill to the standing committee for further examination. Such discussions and debates in Parliament are an essential part of the democratic process to ensure that legislation is well-rounded, fair, and serves the best interests of the citizens.
