Lok Sabha passes Digital Personal Data Protection Bill, 2023

The Lok Sabha passed the Digital Personal Data Protection Bill 2023 on Monday, which sets out the obligations of entities that handle and process data, as well as the rights of individuals. The bill proposes a maximum penalty of Rs 250 crore and a minimum penalty of Rs 50 crore on entities violating the norms.

Some of the amendments moved by opposition members were defeated by a voice vote.

Introducing the bill for consideration and approval, Union Information Technology Minister Ashwini Vaishnaw said opposition members had little concern for issues such as public welfare and the protection of personal data of the people and, hence, they were raising slogans. He also urged the House of Representatives to pass the bill unanimously.

The norms of the bill will apply to personal data collected within India from online data principals and personal data collected offline but later converted to digital form. It will also apply to such processing outside of India if it relates to the supply of goods or services to persons in India.

Vaishnaw had tabled the bill in the lower house on August 3. The opposition demanded that it be sent to the Permanent Commission for scrutiny. While moving the bill, the Information Technology Minister rejected suggestions that it was a money bill saying it was a "normal bill".

The bill provides for the processing of digital personal data in a manner "that recognizes both the right of individuals to protect their personal data and the need to process such personal data for lawful purposes."

Key provisions of the bill

• Firms dealing with user data must protect personal data even if it is stored with a third-party data processor.
• In case of a data breach, companies must inform the Data Protection Board (DPB) and users
• Children’s data and data of physically disabled persons with guardians must be processed after prior consent from guardians.
• Companies must appoint a data protection officer and provide these details to users
• The Center reserves the power to restrict the transfer of personal data to any country or territory outside India.
• Appeals against DPB decisions are to be heard by the Telecommunications Dispute Settlement and Appellate Tribunal
• The DPB may summon and question people under oath and inspect the books and documents of companies that operate with personal data.
• DPB to decide on the penalty after considering the nature and gravity of the breach, the type of personal data impacted
• The DPB may advise the government to block access to an intermediary if the provisions of the DPDP Act have been violated more than twice
• Penalties can be up to Rs 250 crore for a data breach or for failing to protect personal data to inform the DPB and users of the breach.