On 09 August 2023, the Indian Parliament passed the much awaited Digital Personal Data Protection Bill, 2023 (“DPDP Bill“). The DPDP Bill seeks to introduce data protection law with minimum disruption while ensuring necessary change in the way Data Fiduciaries (i.e. persons who determines the purpose and means of processing of personal data) process personal data; enhancing the ease of living and the ease of doing business; and enable India’s digital economy and its innovation ecosystem.
Certain provisions of the DPDP Bill are as follows:
- The DPDP Bill provides for processing digital personal data in a manner that recognises both the rights of individuals to protect their personal data and the need to process such personal data for lawful purposes and related matters.
If any Indian law provides for a higher degree of protection or restriction on transfer of personal data by a Data Fiduciary outside India, then such laws would continue to apply and will prevail over the restrictions placed under the DPDP Bill.
- The DPDP Bill applies to digital personal data in digital form or non-digital form which is subsequently digitised, processed within and outside India for any activity related to offering goods or services to Data Principals (i.e. the persons to whom the data relates) within India. However, personal data processed by an individual for any personal or domestic purpose and which has been made publicly available either by a Data Principal or any other person under a legal obligation to do so, has been excluded from the purview of the DPDP Bill.
- Unless a country is specifically restricted by the Government of India, the DPDP Bill provides for, subject to its provisions, the transfer of personal data by a Data Fiduciary to all countries.
- The DPDP Bill has provided certain exemptions which will not apply to protection of Personal Data such as in cases of processing personal data by an instrumentality of the State as the Central Government may notify or in the interests of sovereignty and integrity of India, security of the State, in the maintenance of public order and for research, archiving or statistical purposes.
- Rights of the Data Principal and obligations of Data Fiduciaries (except data security) will not apply in certain cases including for enforcing any legal right or claim, processing personal data by any court or tribunal or any other body in India, processing personal data in the interest of prevention, detection, investigation or prosecution of any offence, and for processing necessary for a scheme of compromise or arrangement or merger or amalgamation, etc.
- The Data Protection Board of India which will be constituted under the provisions of the DPDP Bill has been empowered to impose penalties, as per the Schedule to the DPDP Bill, up to INR 2.5 billion (approx. USD 30 million), and in this regard the DPDP Bill provides certain parameters for determining the amount of monetary penalty to be imposed such as nature, gravity and duration of the breach, type and nature of personal data breached, repetitive nature of the breach(es) and impact of imposition of monetary penalty.
The Digital Personal Data Protection Bill, 2023 can be accessed at: