Lok Sabha on August 7, 2023 passed the Digital Personal Data Protection Bill, 2023 to provide for the processing of digital personal data in a manner that recognizes both the right of individuals to protect their personal data and the need to process such personal data for lawful purposes and for matters connected therewith or incidental thereto.

Chandigarh (ABC Live): India does not have a specific law for data protection and same is regulated by the Information Technology (IT) Act, 2000. 

In 2017, the central government constituted a Committee of Experts on Data Protection headed by Justice B. N. Srikrishna on data protection and the committee in its resubmitted its report in July 2018.

Thereafter on basis of the recommendations made by the Committee, the Personal Data Protection Bill, 2019 was introduced in Lok Sabha in December 2019. The Bill was referred to a Joint Parliamentary Committee which submitted its report in December 2021.

In August 2022, the Bill was withdrawn from Parliament.  In November 2022, a Draft Bill was released for public consultation. In August 2023, the Digital Personal Data Protection Bill, 2023 was passed by Lok Sabha on August 7, 2023 and sent to Rajya Sabha.

As per bill passed by Lok Sabha the data principal (Individual) has following Rights under the Digital Personal Data Protection Bill, 2023

Right to access information about personal data (Section 11)

Right to correction and erasure of personal data (Section 12)

Right of grievance redressal (Section 13)

Right to nominate (Section 14)

Apart from the above mentioned rights given to following are the duties caste upon data principal (Individual) U/s 15 of the bill;

(a) Comply with the provisions of all applicable laws for the time being in force while exercising rights under the provisions of this Act; 

(b) To ensure not to impersonate another person while providing her personal data for a specified purpose; 

(c) to ensure not to suppress any material information while providing her personal data for any document, unique identifier, proof of identity or proof of address issued by the State or any of its instrumentalities;

 (d) To ensure not to register a false or frivolous grievance or complaint with a Data Fiduciary or the Board; 

(e) To furnish only such information as is verifiably authentic, while exercising the right to correction or erasure under the provisions of this Act or the rules made thereunder.

Key Issues and Analysis

Exemptions to data processing by the State on grounds such as national security may lead to data collection, processing, and retention beyond what is necessary.  This may violate the fundamental right to privacy.

The Bill does not regulate risks of harms arising from processing of personal data.  

The Bill does not grant the right to data portability and the right to be forgotten to the data principal.

The Bill allows transfer of personal data outside India, except to countries notified by the central government.  This mechanism may not ensure adequate evaluation of data protection standards in the countries where transfer of personal data is allowed.

The members of the Data Protection Board of India will be appointed for two years and will be eligible for re-appointment.  The short term with scope for re-appointment may affect the independent functioning of the Board.

To read complete bill passed by Lok Sabha click here