The Digital Personal Data Protection Bill (DPDPB) has been signed into law by Indian President Droupadi Murmu, after being unanimously passed by both houses of parliament. This marks a significant step towards securing people’s personal information in the digital age. The Indian government stated that the bill aims to process digital personal data in a manner that respects individuals’ rights to protect their personal data while allowing for lawful processing and related matters.
The DPDPB has been in the making for over five years, with a first draft released in July 2018. The bill comes after India’s Supreme Court recognized privacy as a fundamental right. The legislation applies to personal data collected both online and offline, inside and outside of India, and requires that information be processed only for a lawful purpose with the consent of the individual, storing only what is necessary for the defined purpose.
Explicit consent from users should be obtained along with a notice informing them of the purpose for which their personal data will be processed. “Personal data” refers to any data that can identify an individual. However, certain legitimate uses do not require explicit consent, such as processing personal user data provided voluntarily, such as opting to receive bills via email. The bill also exempts certain data fiduciaries, such as startups, from compliance requirements.
When processing personal data of children aged up to 18 years or individuals with disabilities who have lawful guardians, companies must obtain verifiable consent from their parents or guardians. The bill prohibits processing that is detrimental to the well-being of children, including tracking, behavioral monitoring, or targeted advertising.
Entities responsible for personal data must maintain data accuracy, ensure data security, and delete data once its purpose has been fulfilled. Users have the right to access information, request corrections and erasure, and seek grievance redressal.
The DPDPB establishes a Data Protection Board (DPB) composed of members appointed by the government. The DPB is responsible for examining complaints, investigating data breaches, and imposing penalties based on the severity, duration, and repetitive nature of the incidents.
In case of a citizen’s data breach, individuals can visit the DPB’s website and provide details for the board to initiate an inquiry and impose penalties on the breaching platforms. Organizations that misuse or fail to safeguard individuals’ digital data or fail to report a hack to the DPB can face monetary fines of up to ₹250 crore ($30.1 million). Decisions of the board can be reviewed by the Telecom Disputes Settlement and Appellate Tribunal within 60 days.
A notable change from the earlier draft of the bill is that companies handling personal data can now transfer it to any other country for processing, unless explicitly prohibited by the central government. Previously, cross-border data transfers were only allowed to specific countries and territories.
However, a major concern is the broad exemption granted to government agencies, allowing them to bypass the provisions of the act in the interest of prevention, detection, investigation, or prosecution of offenses or contraventions of any law in force in India. Critics argue that this exemption could potentially lead to excessive data collection, processing, and retention, enabling increased mass surveillance and invasions of privacy by the government.
Some critics argue that the DPDPB, in its present form, does not adequately safeguard the Right to Privacy and should not be enacted. Critics argue that the bill does not adequately address data protection concerns and instead gives too much power to state and private actors to collect and process personal data. Concerns have also been raised about the potential for unbridled censorship of dissenting opinions through government restrictions on access to information.
Overall, the DPDPB represents a significant step towards protecting personal data in India, but its exemptions and potential implications have sparked debates and criticisms among privacy advocates and civil society organizations.
CyberSec84 | Cybersecurity news. 
Leave a comment