The Bill specifies penalties up to Rs 200 crore for non-fulfilment of obligations for children, and Rs 250 crore for failure to take security measures to prevent data breaches. Penalties will be imposed by the Board after conducting an inquiry.
In 2017, the central government constituted a Committee of Experts on Data Protection, chaired by Justice B. N. Srikrishna, to examine issues relating to data protection in the country. The Committee submitted its report in July 2018. Based on the recommendations of the Committee, the Personal Data Protection Bill, 2019 was introduced in Lok Sabha in December 2019. The Bill was referred to a Joint Parliamentary Committee which submitted its report in December 2021. In August 2022, the Bill was withdrawn from Parliament. The principal reason was the legislation cannot be a ‘net loss’ to Indian businesses, especially start-ups. Now between 3rd to 9th August 2023, the bill got passed in both houses with thumping majority with a new name as “the Digital Personal Data Protection Bill”.
Minister of Electronics and Information Technology Ashwini Vaishnaw said that these provisions would be put into motion over the coming six to ten months, although it may happen faster than that.
This bill also has some exceptions including: the following:
- Exemptions to data processing by the State on grounds such as national security may lead to data collection, processing, and retention beyond what is necessary. This may violate the fundamental right to privacy.
- The Bill does not regulate risks of harms arising from processing of personal data.
- The Bill does not grant the right to data portability and the right to be forgotten to the data principal.
- The Bill allows transfer of personal data outside India, except to countries notified by the central government. This mechanism may not ensure adequate evaluation of data protection standards in the countries where transfer of personal data is allowed.
- The members of the Data Protection Board of India will be appointed for two years and will be eligible for re-appointment. The short term with scope for re-appointment may affect the independent functioning of the Board.
- Personal data may be processed only for a lawful purpose after obtaining the consent of the individual.
- An individual whose data is being processed (data principal), will have the right to: (i) obtain information about processing, (ii) seek correction and erasure of personal data, (iii) nominate another person to exercise rights in the event of death or incapacity, and (iv) grievance redressal. Data principals will have certain duties. They must not: (i) register a false or frivolous complaint, and (ii) furnish any false particulars or impersonate another person in specified cases. Violation of duties will be punishable with a penalty of up to Rs 10,000.
- The central government will establish the Data Protection Board of India. Key functions of the Board include: (i) monitoring compliance and imposing penalties, (ii) directing data fiduciaries to take necessary measures in the event of a data breach, and (iii) hearing grievances made by affected persons. Board members will be appointed for two years and will be eligible for re-appointment. The central government will prescribe details such as the number of members of the Board and the selection process. Appeals against the decisions of the Board will lie with TDSAT.
- The schedule to the Bill specifies penalties for various offences such as up to: (i) Rs 200 crore for non-fulfilment of obligations for children, and (ii) Rs 250 crore for failure to take security measures to prevent data breaches. Penalties will be imposed by the Board after conducting an inquiry.
- The Bill will apply to the processing of digital personal data within India where such data is collected online, or collected offline and is digitised. It will also apply to such processing outside India, if it is for offering goods or services in India.
- Personal data may be processed only for a lawful purpose upon consent of an individual. Consent may not be required for specified legitimate uses such as voluntary sharing of data by the individual or processing by the State for permits, licenses, benefits, and services.
- Data fiduciaries will be obligated to maintain the accuracy of data, keep data secure, and delete data once its purpose has been met.
- The Bill grants certain rights to individuals including the right to obtain information, seek correction and erasure, and grievance redressal.
- The central government may exempt government agencies from the application of provisions of the Bill in the interest of specified grounds such as security of the state, public order, and prevention of offences.
- The central government will establish the Data Protection Board of India to adjudicate on non-compliance with the provisions of the Bill.
Vaibhav Tare, CISO & Global Head – Cloud & Infrastructure Services, Fulcrum Digital Inc., said “It is a moment of pride for us as the Digital Personal Data Protection Bill has been passed by the Rajya Sabha today. This is a major step forward for India in protecting the privacy of its citizens. Fulcrum Digital is committed to complying with the provisions of the Bill and ensuring that we handle our customers’ data responsibly. “
“The Bill sets forth a comprehensive framework for the collection, use, and sharing of personal data in India and empowers individuals to take action against businesses that misuse it. The Bill also establishes a Data Protection Authority to enforce the law and protect the privacy of citizens. The passage of the DPDP Bill is a major victory for privacy advocates in India. It is a sign that the government is committed to protecting the privacy of its citizens. Fulcrum Digital is looking forward to working in tandem with the government to implement the Bill in an effort to respect the citizens it protects and empowers,” he added
Sunil Sharma, Vice President – Sales India and SAARC, Sophos said, “The Digital Personal Data Protection Bill is a welcome step towards strengthening India’s cybersecurity posture. The bill provides a comprehensive framework for regulating the use of data by private businesses, and it will help protect Indian citizens from cyber threats and other misuse of their digital data.”
“We are pleased that the Bill includes provisions for data localization, which will ensure that data stays within the country’s borders. This is essential for protecting Indian citizens’ privacy and security, and it will also boost job creation within the security space. We look forward to working with the Government of India to implement the Bill and strengthen cybersecurity postures within the country,” he added.
Vijay Bharti, CISO, Happiest Minds Technologies, said, “Data is the one of most important assets for every Organization in today’s digital era. As more and more organization start leveraging the power of digital, the risk of data breaches is also increasing. Today, Data is getting stored across multiple environments such as on-premises, private clouds, different public clouds, third party SaaS and service providers, which makes it difficult for the organizations to uniformly apply and monitor the necessary security policies and technical controls using traditional security frameworks and tools. The increase in number of Ransomware, social engineering attacks and supply chain attacks in recent past have also resulted in many data breaches. The associated cost of managing any such data breaches has also increased multi-fold due to increased scope and exposure to these diverse environments.”
“We at Happiest Minds Technologies are committed to help our clients protect their data. We have a team of experienced data security professionals who can help you to assess your current risks and implement the necessary measures to protect your data. Our Digital Risk Management practice has adopted industry leading research, frameworks and tools to address data security and privacy requirements for today’s digital organization,” he added
In a recent data breach study, conducted by IBM in 2023, it was found that the average cost of a data breach has increased to $4.45 million. This is a significant increase from the average cost of a data breach in 2022, which was $3.92 million. The study also found that the number of data breaches has increased in recent years. In 2023, there were over 360,000 data breaches reported worldwide. This is an increase of 10% from the number of data breaches reported in 2022. The IBM study also found that the average time to identify a data breach is 280 days.