Information that can be used to identify or contact a specific individual is known as personal data.  Personal data is processed by both businesses and governmental organizations in order to supply goods and services.  Processing personal data enables comprehension of user preferences, which may be helpful for customization, targeted advertising, and suggestion development.

A Committee of Experts on Data Protection, headed by Justice B. N. Srikrishna, was established by the national government in 2017 to investigate matters pertaining to data protection in the nation.  In July 2018, the Committee turned in its report. The Personal Data Protection Bill, 2019 was presented in Lok Sabha in December 2019 based on the Committee’s recommendations. A Joint Parliamentary Committee was given the bill, and it delivered its report in December 2021.The Bill was withdrawn from Parliament in August 2022.  A Draft Bill was made available for public comment in November 2022.  The Digital Personal Data Protection Bill, 2023 was tabled in Parliament in August of this year of the monsoon session of Parliament.

The President of India on Friday granted assent to the Digital Personal Data Protection Bill, 2023 (DPDP Bill) after it was passed by both the houses of the parliament. The objective of this Act states that –“An Act to provide for the processing of digital personal data in a manner that recognises both the right of individuals to protect their personal data and the need to process such personal data for lawful purposes and for matters connected therewith or incidental thereto.”

The bill applies if digital personal data is processed in India and is either (i) gathered online or (ii) collected offline and converted to digital form, the Bill is applicable.  If processing is done to provide goods or services in India, it also applies to processing done outside of India.  Any information on a person who may be identified from or in connection with that information is referred to as personal data.  The term “processing” refers to any fully or partially automated action taken on digitally stored personal data.  It comprises gathering, keeping, using, and sharing.

Features of the Act-

1. Personal data may be processed only for a lawful purpose after obtaining the consent of the individual.  A notice must be given before seeking consent.  The notice should contain details about the personal data to be collected and the purpose of processing.  Consent may be withdrawn at any point in time.  Consent will not be required for ‘legitimate uses’ including: (i) specified purpose for which data has been provided by an individual voluntarily, (ii) provision of benefit or service by the government, (iii) medical emergency, and (iv) employment.   For individuals below 18 years of age, consent will be provided by the parent or the legal guardian.
2. Rights and duties of Principal (Data)- A person whose data is being processed (referred to as the “data principal”) is entitled to the following rights: (i) information about processing; (ii) deletion of personal data; (iii) designating a substitute for themselves to exercise rights in the case of death or incapacity; and (iv) grievance redressal.  Certain obligations will fall on data principals.  They may not: (i) file a fictitious or baseless complaint; (ii) provide any false information; or (iii) impersonate another individual in certain circumstances.  Duty violations are penalized by fines of up to Rs 10,000.
3. Duties of Data Fiduciaries- A person whose data is being processed (referred to as the “data principal”) is entitled to the following rights: (i) information about processing; (ii) deletion of personal data; (iii) designating a substitute for themselves to exercise rights in the case of death or incapacity; and (iv) grievance redressal.  Certain obligations will fall on data principals.  They may not: (i) file a fictitious or baseless complaint; (ii) provide any false information; or (iii) impersonate another individual in certain circumstances.  Duty violations are penalized by fines of up to Rs 10,000.
4. Data Protection Board of India: The central government will establish the Data Protection Board of India.  Key functions of the Board include: (i) monitoring compliance and imposing penalties, (ii) directing data fiduciaries to take necessary measures in the event of a data breach, and (iii) hearing grievances made by affected persons.  Board members will be appointed for two years and will be eligible for re-appointment.   The central government will prescribe details such as the number of members of the Board and the selection process.   Appeals against the decisions of the Board will lie with TDSAT.
5. Penalties-  Penalties for numerous offenses are outlined in the schedule to the Bill, including up to (i) Rs 200 crore for failing to fulfill commitments to minors and (ii) Rs 250 crore for failing to take security precautions to avoid data breaches.  The Board will issue penalties following an investigation.

Lacunas of this Act-

1. Bill exempts regulation on processing of data-  The risks of harms resulting from the processing of personal data are not regulated by the Bill.  The Srikrishna Committee (2018) had noted that processing personal data could have negative effects.   Material losses like monetary loss and loss of access to benefits or services are examples of harm.  Identity theft, reputational damage, discrimination, and irrational profiling and surveillance may also be included.  It had suggested that data protection laws be used to control harms.
2. Right to data portability and the right to be forgotten not provided- : The right to data portability allows data principals to obtain and transfer their data from data fiduciary for their own use, in a structured, commonly used, and machine-readable format.  It gives the data principal greater control over their data.
   The phrase “right to be forgotten” refers to a person’s ability to control how much of their personal information is made public online.  The right to be forgotten is a concept that seeks to impose memory constraints on an otherwise infinite digital realm, according to the Srikrishna Committee (2018). The Committee did emphasize that this right could need to be balanced against other rights and interests, though.   The exercise of this right may conflict with another person’s freedom of expression and informational rights. Its applicability may depend on elements like the sensitive nature of the restricted personal data, the significance of the data to the public, and the position of the data principal in public.

• Appointment of Board Members for shorter term- The Data Protection Board of India’s members would operate as an autonomous body, according to the Bill.  Members shall be appointed for a period of two years and have the option of being reappointed.  Short terms with the possibility of reappointment may hinder the Board’s ability to act independently.