Lok Sabha passes Digital Personal Data Protection Bill, 2023

Aug 7, 2023

The Lok Sabha on Monday passed the Digital Personal Data Protection Bill, 2023 which lays down the obligations of entities handling and processing data as well as the rights of individuals. The bill proposes a maximum penalty of Rs 250 crore and minimum of Rs 50 crore on entities violating the norms.

Some amendments moved by opposition members were defeated by a voice vote.

Moving the bill for consideration and passage, Union IT Minister Ashwini Vaishnaw said opposition members had little concern for issues such as public welfare and the protection of people's personal data, and hence, they were raising slogans. He also urged the House to pass the bill unanimously.

The norms of the bill will apply to personal data collected within India from data principals online, and personal data collected offline, but subsequently digitised. It will also apply to such processing outside India if it is for offering goods or services to individuals in India.

Vaishnaw had tabled the bill in the lower house on August 3. Opposition had demanded that it should be sent to the standing committee for scrutiny. While moving the bill, the IT minister had rejected suggestions that it was a money bill saying it was a "normal bill".

The bill provides for the processing of digital personal data in a manner “that recognises both the right of individuals to protect their personal data and the need to process such personal data for lawful purposes”.

Key provisions of the bill

1. Firms dealing with user data must protect personal data even if it is stored with a third-party data processor
2. In case of a data breach, companies must inform the Data Protection Board (DPB) and users
3. Children’s data and data of physically disabled persons with guardians must be processed after consent from guardians
4. Firms must appoint a Data Protection Officer, and provide such details to users
5. The Centre retains the power to restrict the transfer of personal data to any country, or territory outside India
6. Appeals against DPB decisions to be heard by the Telecom Disputes Settlement and Appellate Tribunal
7. DPB may summon, examine people under oath, inspect books, and documents of companies working with personal data
8. DPB to decide on penalty after considering the nature and gravity of the breach, the type of personal data impacted
9. DPB may advise government to block access to an intermediary, if DPDP Bill provisions are breached more than twice
10. Penalties can go up to Rs 250 crore for a data breach, failure to protect personal data or inform DPB and users of the breach.

[The Economic Times]