India’s Digital Personal Data Protection Bill 2023

What is the Digital Personal Data Protection Bill 2023?

Digital Personal Data Protection Bill (DPDPB) 2023 is India’s first privacy law. The DPDPB is designed to regulate the collection and processing of citizen’s data by online platforms with the intent to protect their privacy. Both private and government entities need to comply with this Bill. They are required to acknowledge and safeguard individuals’ personal information and provide legitimate purposes for the data to be processed. The DPDPB does not cover data that is publicly available or personal data processed by individuals for personal or domestic purposes. 

On August 9, 2023, the DPDPB was approved by both houses of the parliament, the Lok Sabha, and signed by President Droupadi Murmu. On August 11, 2023, the bill was then passed unanimously in the Rajya Sabha.

Components of the Digital Personal Data Protection Bill 

The DPDPB governs the processing of personally identifiable information (PII) data in digital and non-digital formats within India. The Bill also extends to all “data principals” with regards to the offering of goods or services within India. According to the Bill, “data principals” are individuals within India, including parents or legal guardians of minors and persons with disabilities. 

Structure of the Digital Personal Data Protection Bill 

The Bill includes 6 chapters, with 33 sections and one schedule that includes penalties for non-compliance. Fines can go up to 250 crores for businesses that lack data protection workflows.

Compliance Obligations of the Digital Personal Data Protection Bill

Regardless of agreements or non-compliance of “data principals,” organizations must comply and fulfill their responsibilities under the Bill. This includes ensuring accurate, complete personal data for decision making and disclosures. They must also implement adequate organizational and technical measures for compliance. Essentially, all data fiduciaries will need to keep data secure, maintain accuracy, and once the purpose of the data has been met — delete it. 

The Role of a Data Protection Board

Organizations are allowed to form a Data Protection Board (DPB) to handle remediation from data breaches. If a data breach occurs, companies must inform their users and the Data Protection Board (DPB) so proper action can be taken.  The DPB can make recommendations on behalf of the public interest, such as the removal of content or blocking third parties, etc. 

The Rights of “Data Principals”

The bill empowers “data principals”  to receive information and request the correction and deletion of their personal data. Companies will need to extend personal data protection through third party data processors. 

Notification Requirements for “Data Principals”

Notices to “data principals” must be provided in English or one of the 22 scheduled languages depending on preferences of the data principals. Organizations are required to provide to “data principals”:

• how their personal data is being processed
• the purpose of data processing 
• how they can exercise their rights
• contact information to reach the Data Protection Board

These requirements extend to future and existing data that has already been collected before the enactment of the law.   

Personal Data transfers outside of India

The DPDPB allows free transfer of personal data outside of India, except countries restricted by the Central Government. Other India laws that can influence International data transfers are considered and provisions retained. 

Penalties for Non-compliance with the Digital Personal Data Protection Bill

India is the most populous country in the world, covering approximately ~17% of the world’s population. For those doing business with “900 million Indians connected to the Internet” – data privacy and security tools need to be in place. Failure to comply can cost up to:

Staying ahead of new and evolving data regulatory laws and regulations can be daunting.  Contact us for a free consultation to learn how we can help.