ARTH-ODYOG

UDIT AGGARWAL
VINOD KUMAR
IIFT DELHI
The Digital Personal Data Protection Bill, 2023

HIGHLIGHTS OF THE BILL

➢ The Bill will apply to the processing of digital personal data within India where such data is collected online, or collected offline and is digitized. It will
also apply to such processing outside India, if it is for offering goods or services in India.

➢ Personal data may be processed only for a lawful purpose upon consent of an individual. Consent may not be required for specified legitimate uses such
as the voluntary sharing of data by the individual or processing by the State for permits, licenses, benefits, and services.

➢ Data fiduciaries will be obligated to maintain the accuracy of data, keep data secure, and delete data once its purpose has been met.

➢ The Bill grants certain rights to individuals including the right to obtain information, seek correction and erasure, and grievance redressal.

➢ The central government may exempt government agencies from the application of provisions of the Bill in the interest of specified grounds such as
security of the state, public order, and prevention of offences.

➢ The central government will establish the Data Protection Board of India to adjudicate non-compliance with the provisions of the Bill.
 INDIAN DIGITAL ACT, 2023
INDIAN DIGITAL ACT IDENTIFICATION OF ISSUES EDUCATING PEOPLE OPTIMAL IMPLEMENTATION

KEY INFODIGITAL
INDIAN ABOUT 692 million 399 million 19.5 GB #2 48.7% $63 billion
ECOSYSTEM
ALLCARGO LOGISTICS Internet Rural Per Month Largest Internet Internet
Users Users Data Use Internet User Penetration Rate Revenue

KEY COMPONENTS OBJECTIVES Features

Open Internet Create adaptable To deliver timely remedies to

➢ The DIA will replace the two-decade-
• Internet should have — choice, competition, online rules for evolving citizens, resolve cyber disputes, old Information Technology Act of
diversity, fair market access, ease of doing business as well tech trends, and enforce the rule of law on 2000 (IT Act).
as ease of compliance for startups. update them as the internet.
Awareness Remedies
needed.
Online Safety and Trust ➢ The DIA's framework will focus on
key elements such as online safety,
• Safeguarding users against cyber threats— like revenge
porn, defamation, and cyberbullying. trust, and accountability, ensuring an
To offer an easily Mechanism Framework To provide a
Right to Digital Inheritance accessible adjudicatory open internet, and regulating new-
legislative framework
• Passing down digital assets to designated beneficiaries, mechanism for online keeping governing age technologies like artificial
protecting minors and their data from addictive civil and criminal principles in mind to intelligence and blockchain.
technology, and moderating fake news on social media offenses ensure compliance.
platforms.
Accountable Internet ➢ The DIA will work in conjunction
• Aims to make internet users more accountable by
with other related laws and policies.
introducing legal mechanisms for redressal of complaints,
upholding constitutional rights in cyberspaces, algorithmic N Outdated Global ➢ DIA mandates stringent Know Your
transparency and periodic risk assessments, and disclosure
norms for data collected by intermediaries
E Regulations Alignment Customer (KYC) requirements for
wearable devices, with associated
Transparency E criminal law sanctions and penalties.
Legal E-
• Disclosure norms for data collected by intermediaries D Adaptation Commerce
EVOLUTION OF DIGITAL LAWS IN INDIA
The Draft Personal Data The Personal Data The Digital Personal Data
BASIS Protection Bill, 2018 Protection Bill, 2019 Protection Bill, 2023

Processing of personal data: (i) within India, (ii) Expands the scope under the 2018 Bill Does not cover offline personal data
outside India if it is for business carried on, to cover certain anonymized personal and non-automated processing
Scope and Applicability offering of goods and services, or profiling data
individuals, in India

Reporting of data Fiduciary to notify the Data Protection Authority Every personal data breach must be reported to
about a breach that is likely to cause harm, the Same as the 2018 Bill the Data Protection Board of India and each
breaches Authority will decide whether to notify the data affected data principal, in the prescribed manner
principals or not

The central government, by order, may exempt

Exemptions from Processing must be authorised under a law, and by
agencies where processing is necessary or
The central government may exempt by
the procedure established by law, and must be notification; does not require any procedure or
provisions necessary and proportionate
expedient, subject to certain procedures, safeguards to be specified
safeguards, and oversight

Right to Data Data principal will have the right to data portability
(to obtain data in interoperable format), and right
Portability And Right to to be forgotten (to restrict disclosure of personal
Provided for both rights Not provided

be Forgotten data over internet)

Harm includes monetary loss, identity theft, loss of

Harm from processing reputation, and unreasonable surveillance Same as the 2018 Bill Not provided
Data fiduciaries to take measures to minimize and
of personal data mitigate risks of harm

Provides for the Data Protection

Provides for establishing: (i) the Data Protection Board of India, whose primary
Authority of India to regulate the sector, and (ii) Same as the 2018 Bill
Regulator the Appellate Tribunal.
function is to adjudicate non-
compliance;
 KEY ISSUES AND ANALYSIS
Exemptions to the State may have adverse The Bill may enable unchecked data processing by The Bill does not regulate harm arising from
implications for privacy the State, which may violate the right to privacy processing of personal data

Personal data processing by the State has been given For interception of communication on grounds such as national security, the The Bill does not regulate risks of harm arising out of
several exemptions under the Bill. As per Article 12 Supreme Court (1996) had mandated various safeguards including: (i) the processing of personal data. The Srikrishna
of the Constitution, the State includes (i) central establishing necessity, (ii) purpose limitation, and (iii) storage limitation. Committee (2018) observed that harm is a possible
government, (ii) state government, (iii) local bodies, These are similar to the obligations of data fiduciaries under the Bill, the consequence of personal data processing. Harm
and (iv) authorities and companies set up by the application of which has been exempted. The Srikrishna Committee (2018) may include material losses such as financial loss and
government. There may be certain issues with such recommended that in case of processing on grounds such as national loss of access to benefits or services. It may also
exemptions. security and prevention and prosecution of offences, obligations other than include identity theft, loss of reputation,
fair and reasonable processing and security safeguards should not apply. discrimination, and unreasonable surveillance and
profiling.4 It had recommended that harms should
be regulated under a data protection law.

Adequacy of protection in case of cross-border Whether overriding consent for purposes such as Right to data portability and the right to be
transfer of data benefit, subsidy, license, and certificates is appropriate forgotten not provided

The Bill overrides the consent of an individual where the State processes The Bill does not provide for the right to data
The Bill provides that the central government may personal data for the provision of benefit, service, license, permit, or portability and the right to be forgotten. The 2018
restrict the transfer of personal data to certain certificate. It specifically allows the use of data processed for one of these Draft Bill and the 2019 Bill introduced in Parliament
countries through a notification. This implies the purposes for another. It also allows the use of personal data already provided for these rights. The Joint Parliamentary
transfer of personal data to all other countries available with the State for any of these purposes. Hence, it removes Committee, examining the 2019 Bill, recommended
without any explicit restrictions. This question is purpose limitation, which is one of the key principles for protection of retaining these rights. GDPR also recognizes these
whether this mechanism will provide adequate privacy. Purpose limitation means data should be collected for specific rights. The Srikrishna Committee (2018) observed
protection. purposes, and should be used only for that purpose. The question is that a strong set of rights of data principals is an
whether such exemptions are appropriate. essential component of a data protection law. These
Since data taken for various purposes could be combined, this could allow rights are based on principles of autonomy,
the profiling of citizens. On the other hand, if consent were required, transparency, and accountability to give individuals
individuals would have autonomy and control over the collection and sharing control over their data.
of their data.
 KEY ISSUES AND ANALYSIS
Shorter appointment term may impact Definition of child different from other jurisdictions Drafting Issues
independence of the Board
While it is an accepted principle that the processing of a child’s data should
be subject to greater protection, there are differences in how different
The Bill provides that members of the Data Lawmakers made errors while drafting the law,
jurisdictions define a child for giving consent for the processing of personal
Protection Board of India will function as an which could lead to incorrect interpretation.
data. Under the Bill, a child has been defined as a person below 18 years of
independent body. Members will be appointed for For example: Clause 27 (1) (e) refers to the sub-
age. The Srikrishna Committee (2018) recommended that while determining
two years and will be eligible for re-appointment. A section (2) of Clause 36, however, Clause 36 does
the age of consent for children, certain factors should be considered. These
short term with the scope for re-appointment may not have any sub-sections.
include: (i) a minimum age of 13 and a maximum age of 18, and (ii) a single
affect independent functioning of the Board. threshold for ensuring practical implementation.4 It also observed that 18
years may be too high from the perspective of the full autonomous
development of a child.4 However, to be consistent with the existing legal
framework, the age of consent should be 18 years. Under the Indian
Contract Act,1872, the minimum age to sign a contract is 18.

Exemption from notice for consent may not be Taking verifiable parental consent may require Lack of clarity on what constitutes detrimental
appropriate verification of everyone’s age on digital platforms to well-being of a child

The Bill empowers the central government to notify

certain data fiduciaries or classes of data fiduciaries The Bill requires all data fiduciaries to obtain verifiable consent from the
including startups of certain obligations. This must legal guardian before processing the personal data of a child. To comply The Bill provides that the data fiduciary will not
be done with due regard to the volume and nature with this provision, every data fiduciary will have to verify the age of undertake any processing which has a detrimental
of personal data. One of the obligations which may everyone signing up for its services. It will be needed to determine whether effect on well-being of the child. The Bill has not
be exempted is notice for consent. The requirement the person is a child, and thereby obtain consent from their legal guardian. defined detrimental effects. It has also not provided
to seek free and informed consent will continue to This may help avoid instances of children giving false declarations. However, any guidance for determining such an effect.
apply in the case of these entities. However, if there this may reduce anonymity in the digital sphere.
is no obligation to provide notice regarding the
nature of the data collected and the purpose of
processing, it may be argued that a data principal
will not be able to provide informed consent.
Lessons from Others’ Shortcomings
China Personal Information Protection Law (PIPL) EU’s General Data Protection Regulation (GDPR)

Shortcomings Shortcomings

Unlike other countries, the PIPL has no derogation provisions for The GDPR's provisions are often vague and difficult to interpret by
No derogation provisions Vague provisions
cross-border transfer. corporate.

The PIPL lacks provisions for data protection by design and by Data brokers are still stockpiling and selling information, which
No privacy by design Data brokers
default. eventually defeats purpose of the law.

The PIPL requires businesses and government agencies to obtain GDPR didn't impose substantial fines on big tech, most of which
No clear consent form individual consent before processing personal information, but the Fines on big tech continues to persist in conducting extensive online surveillance on a
required form and method of that consent is not clear. huge scale, evading significant consequences.

The PIPL exempts businesses and government agencies from A large and increasing pile of filings are still unresolved, some of
Exemptions Unresolved filings
obtaining individual consent when there is a “statutory basis”. which date back to the day GDPR was launched.

Learnings Learnings

➢ Over 290,000 multinational corporations are active in India, and the diplomatic ➢ India must precisely articulate its laws, aiming for comprehensive coverage, as
dynamics of India differ significantly from those of China. Consequently, it is crucial for overlooking certain aspects could result in loopholes and potential abuse of power by
India to establish derogation provisions to uphold harmony with the legal frameworks major corporations in the future.
of partner nations. ➢ Establishing a robust security check system is imperative to counteract existing data
➢ While the Chinese political system may afford less privacy, India must prioritize brokers who might retain and sell data, necessitating a thorough data auditing process.
safeguarding the privacy of its citizens. ➢ Implementing fines based on the size of firms can serve as a deterrent, preventing
➢ The formulation of clear and robust laws is essential, as ambiguous consent forms large corporations from abusing their influence.
could potentially create loopholes with implications for the public. ➢ India should institute an effective mechanism from the outset to prevent the
➢ In contrast to China, India should only permit exemptions in cases of national security accumulation of filings in the future, thereby averting the development of bureaucratic
and should avoid unnecessary scrutiny of data. red tape.
SUGGESTED CHANGES
Compliance Burden Freedom of Expression Proper Infrastructure Privacy Concerns
The act’s regulations may place a The review of the "safe harbour" principle Effective enforcement of the DIA will Critics argue that certain provisions of the
significant burden on businesses, for online platforms could potentially require substantial resources, expertise, act may grant excessive surveillance
particularly small and medium-sized impact freedom of expression. Ensuring and infrastructure. Investing in these areas powers to the government, potentially
enterprises (SMEs). that the act doesn't curb this fundamental will be crucial. compromising privacy rights.
right is a delicate task.

Modification Modification Modification Modification

To ensure freedom of expression,

The government can streamline To prevent abuse of power by the
firms should have the right to Data privacy is crucial, and the
data reporting for companies by government, India could establish
access data audits and ensure government must develop a robust
creating standardized guidelines an independent organization like
transparency from the government. cybersecurity system to ensure data
and deploying automated systems. CCI to monitor its actions.
All while maintaining secrecy of confidentiality.
data.

Data Localization
and Cross-Border Modification
Data Flows
India hosts more than 290,000 This also implies that the government India needs to set up contractual clauses
multinational corporations (MNCs), all of should establish a system for monitoring that can be used to ensure that personal
The act’s approach to data localization is a which need to transfer data across the flow of data leaving India. To achieve data transferred to a third country is
point of contention. While localization can borders. This underscores the importance this, the government should consider adequately protected, covering a wide
enhance data protection and security, it of harmonizing our digital laws with those forming organizations similar to customs range of topics, including data security,
may also disrupt cross-border data flows, of other countries. agencies to oversee data transfers. and data subjects' rights.
impacting global businesses that rely on
efficient data transfers.
 SUGGESTED INFRASTRUCTURE
Develop a comprehensive national cybersecurity strategy
National Cybersecurity that outlines the government's approach to securing critical
Ensure that government agencies comply with relevant
infrastructure, protecting sensitive information, and
cybersecurity standards, such as NIST Cybersecurity Regulatory Compliance
Strategy responding to cyber threats.DIGITAL ACT
Framework, to protect government data and systems.

Create mechanisms for sharing cybersecurity threat Pay attention to the security of open-source software used Open Source Software
Security Information Sharing intelligence and information between government agencies, in government systems and encourage secure coding
private sector organizations, and international partners. practices. Security

Cybersecurity Awareness and Promote cybersecurity awareness and education campaigns If using cloud services, ensure the security of government
to educate citizens, businesses, and government employees data stored in the cloud by following best practices and Secure Cloud Adoption
Education about best practices and threats. compliance standards.

Establish a national CERT or CSIRT (Computer Security

National Computer Incident Response Team) to coordinate responses to cyber
Collaborate with other nations and international
incidents and provide guidance to other government
organizations to address global cyber threats and promote International Collaboration
Emergency Response Team agencies and organizations.
international norms and agreements.

Critical Infrastructure Identify and designate critical infrastructure sectors and

work with organizations in these sectors to enhance their
Regularly audit and conduct penetration tests on Security Audits and
government systems to identify and address vulnerabilities.
Protection cybersecurity resilience. Penetration Testing

Develop and test incident response plans to ensure a

Invest in training and developing a skilled cybersecurity Cybersecurity Workforce
Incident Response Plans coordinated and effective response to cyber incidents,
workforce within government agencies.
including data breaches and cyberattacks. Development

Secure government IT systems and networks through Ensure the security of emergency communication systems, Emergency Communication
Secure Government Networks measures such as firewalls, intrusion detection and such as 911 services, to maintain their availability during
prevention systems, and data encryption. crises. Systems
Communicating Law to Public
Awareness Online Mobile Apps Workshops and Collaborate with
Campaigns Platforms & Websites Seminars Institutions
Launch comprehensive campaigns Develop user-friendly websites Create mobile apps that offer Conduct workshops and seminars Partner with schools, colleges,
through various media channels, and online platforms dedicated to concise information, updates, and in schools, colleges, and and universities to integrate
including television, and social media, educating the public about digital resources related to digital laws. community centres. digital law education into the
to disseminate information. laws in India. curriculum.

Community Legal Clinics Partnerships Interactive Gamification of

Engagement and Helplines with NGOs Podcasts Education
Organize community events and town Establish legal clinics or helplines Collaborate with non- Host podcasts featuring experts, Develop educational games and
hall meetings to address specific where people can seek advice and governmental organizations fostering interactive discussions quizzes that make learning about
concerns and answer questions clarification regarding digital laws. (NGOs) to reach marginalized or and addressing common digital laws engaging and
related to digital laws. underserved communities. misconceptions. entertaining.

Printed Literacy Student Industry Multilingual

Materials Initiatives Competitions Partnerships Resources
Distribute pamphlets, brochures, and Integrate digital law education Organize competitions, Collaborate with technology Translate educational materials
posters to reach individuals who may into broader digital literacy hackathons, or projects in schools companies, ISPs, and other into regional languages to ensure
not have easy access to online initiatives to ensure that people and colleges that focus on creating stakeholders to promote accessibility for diverse linguistic
resources. understand data privacy. awareness about digital laws. responsible digital behaviour. communities across India.

Community Continuous Online Feedback Crisis Response

Ambassadors Updates Courses Mechanism Plan
Recruit and train individuals from Establish a system to provide Develop and promote online Implement a feedback mechanism Educate the public about what to
different communities to act as regular updates on changes or courses, making it convenient for through surveys or online forms do in case of a digital security
ambassadors for digital law additions to digital laws, ensuring individuals to enhance their to understand the effectiveness of breach or violation, providing a
education. that the public remains informed. knowledge at their own pace. initiatives. step-by-step crisis response plan.
THANK
YOU