The Digital Personal Data Protection Bill, 2023, which outlines both peoples’ rights and the responsibilities of organisations managing and processing data, was approved by the Lok Sabha on Monday.
The bill proposes imposing a minimum penalty of Rs. 50 crore and a maximum penalty of Rs. 250 crore on corporations that violate the rules.
The rules would apply to both personal data that is gathered offline but later digitised and personal data that is obtained online from data principals in India. If the processing is being done to provide products or services to Indian citizens, it will also be subject to the same rules.
The legislation was introduced in the lower house on August 3 by Ashwini Vaishnaw, the union’s minister of communications, electronics, and information technology. It had been asked by the opposition that it be submitted to the standing committee for review. Vaishnaw had argued that the measure was a “normal bill” while pushing it, rejecting claims that it was a money bill.
The bill provides for the processing of digital personal data in a manner “that recognises both the right of individuals to protect their personal data and the need to process such personal data for lawful purposes”.
Key provisions of the Bill:
- Firms dealing with user data must protect personal data even if it is stored with a third-party data processor
- In case of a data breach, companies must inform the Data Protection Board (DPB) and users
- Children’s data and data of physically disabled persons with guardians must be processed after consent from guardians
- Firms must appoint a Data Protection Officer, and provide such details to users
- The Centre retains the power to restrict the transfer of personal data to any country, or territory outside India
- Appeals against DPB decisions to be heard by the Telecom Disputes Settlement and Appellate Tribunal
- DPB may summon, examine people under oath, inspect books, and documents of companies working with personal data
- DPB to decide on penalty after considering the nature and gravity of the breach, the type of personal data impacted
- DPB may advise government to block access to an intermediary, if DPDP Bill provisions are breached more than twice
- Penalties can go up to Rs 250 crore for a data breach, failure to protect personal data or inform DPB and users of the breach.
Catch all the Latest Business News, Breaking News Events and Latest News Updates on NewsX)