ARTH-ODYOG

UDIT AGGARWAL
VINOD KUMAR
IIFT DELHI
The Digital Personal Data Protection Bill, 2023

HIGHLIGHTS OF THE BILL

➢ The Bill will apply to the processing of digital personal data within India where such data is collected online, or collected offline and is digitized. It will
also apply to such processing outside India, if it is for offering goods or services in India.

➢ Personal data may be processed only for a lawful purpose upon consent of an individual. Consent may not be required for specified legitimate uses such
as the voluntary sharing of data by the individual or processing by the State for permits, licenses, benefits, and services.

➢ Data fiduciaries will be obligated to maintain the accuracy of data, keep data secure, and delete data once its purpose has been met.

➢ The Bill grants certain rights to individuals including the right to obtain information, seek correction and erasure, and grievance redressal.

➢ The central government may exempt government agencies from the application of provisions of the Bill in the interest of specified grounds such as
security of the state, public order, and prevention of offences.

➢ The central government will establish the Data Protection Board of India to adjudicate non-compliance with the provisions of the Bill.
 INDIAN DIGITAL ACT, 2023
INDIAN DIGITAL ACT IDENTIFICATION OF ISSUES EDUCATING PEOPLE OPTIMAL IMPLEMENTATION

KEY INFODIGITAL
INDIAN ABOUT 692 million 399 million 19.5 GB #2 48.7% $63 billion
ECOSYSTEM
ALLCARGO LOGISTICS Internet Rural Per Month Largest Internet Internet
Users Users Data Use Internet User Penetration Rate Revenue

KEY COMPONENTS OBJECTIVES Features

Open Internet Create adaptable To deliver timely remedies to

➢ The DIA will replace the two-decade-
• Internet should have — choice, competition, online rules for evolving citizens, resolve cyber disputes, old Information Technology Act of
diversity, fair market access, ease of doing business as well tech trends, and enforce the rule of law on 2000 (IT Act).
as ease of compliance for startups. update them as the internet.
Awareness Remedies
needed.
Online Safety and Trust ➢ The DIA's framework will focus on
key elements such as online safety,
• Safeguarding users against cyber threats— like revenge
porn, defamation, and cyberbullying. trust, and accountability, ensuring an
To offer an easily Mechanism Framework To provide a
Right to Digital Inheritance accessible adjudicatory open internet, and regulating new-
legislative framework
• Passing down digital assets to designated beneficiaries, mechanism for online keeping governing age technologies like artificial
protecting minors and their data from addictive civil and criminal principles in mind to intelligence and blockchain.
technology, and moderating fake news on social media offenses ensure compliance.
platforms.
Accountable Internet ➢ The DIA will work in conjunction
• Aims to make internet users more accountable by
with other related laws and policies.
introducing legal mechanisms for redressal of complaints,
upholding constitutional rights in cyberspaces, algorithmic N Outdated Global ➢ DIA mandates stringent Know Your
transparency and periodic risk assessments, and disclosure
norms for data collected by intermediaries
E Regulations Alignment Customer (KYC) requirements for
wearable devices, with associated
Transparency E criminal law sanctions and penalties.
Legal E-
• Disclosure norms for data collected by intermediaries D Adaptation Commerce
EVOLUTION OF DIGITAL LAWS IN INDIA
The Draft Personal Data The Personal Data The Digital Personal Data
BASIS Protection Bill, 2018 Protection Bill, 2019 Protection Bill, 2023

Processing of personal data: (i) within India, (ii) Expands the scope under the 2018 Bill Does not cover offline personal data
outside India if it is for business carried on, to cover certain anonymized personal and non-automated processing
Scope and Applicability offering of goods and services, or profiling data
individuals, in India

Reporting of data Fiduciary to notify the Data Protection Authority Every personal data breach must be reported to
about a breach that is likely to cause harm, the Same as the 2018 Bill the Data Protection Board of India and each
breaches Authority will decide whether to notify the data affected data principal, in the prescribed manner
principals or not

The central government, by order, may exempt

Exemptions from Processing must be authorised under a law, and by
agencies where processing is necessary or
The central government may exempt by
the procedure established by law, and must be notification; does not require any procedure or
provisions necessary and proportionate
expedient, subject to certain procedures, safeguards to be specified
safeguards, and oversight

Right to Data Data principal will have the right to data portability
(to obtain data in interoperable format), and right
Portability And Right to to be forgotten (to restrict disclosure of personal
Provided for both rights Not provided

be Forgotten data over internet)

Harm includes monetary loss, identity theft, loss of

Harm from processing reputation, and unreasonable surveillance Same as the 2018 Bill Not provided
Data fiduciaries to take measures to minimize and
of personal data mitigate risks of harm

Provides for the Data Protection

Provides for establishing: (i) the Data Protection Board of India, whose primary
Authority of India to regulate the sector, and (ii) Same as the 2018 Bill
Regulator the Appellate Tribunal.
function is to adjudicate non-
compliance;
 KEY ISSUES AND ANALYSIS
Exemptions to the State may have adverse
implications for privacy
Personal data processing by the State has been given
several exemptions under the Bill. As per Article 12
of the Constitution, the State includes (i) central
government, (ii) state government, (iii) local bodies,
and (iv) authorities and companies set up by the
government. There may be certain issues with such
exemptions.
Adequacy of protection in case of cross-border
transfer of data
The Bill provides that the central government may
restrict the transfer of personal data to certain
countries through a notification. This implies the
transfer of personal data to all other countries
without any explicit restrictions. This question is
whether this mechanism will provide adequate
protection.
The Bill may enable unchecked data processing by
the State, which may violate the right to privacy
For interception of communication on grounds such as national security, the
Supreme Court (1996) had mandated various safeguards including: (i)
establishing necessity, (ii) purpose limitation, and (iii) storage limitation.
These are similar to the obligations of data fiduciaries under the Bill, the
application of which has been exempted. The Srikrishna Committee (2018)
recommended that in case of processing on grounds such as national
security and prevention and prosecution of offences, obligations other than
fair and reasonable processing and security safeguards should not apply.
Whether overriding consent for purposes such as
benefit, subsidy, license, and certificates is appropriate
The Bill overrides the consent of an individual where the State processes
personal data for the provision of benefit, service, license, permit, or
certificate. It specifically allows the use of data processed for one of these
purposes for another. It also allows the use of personal data already
available with the State for any of these purposes. Hence, it removes
purpose limitation, which is one of the key principles for protection of
privacy. Purpose limitation means data should be collected for specific
purposes, and should be used only for that purpose. The question is
whether such exemptions are appropriate.
Since data taken for various purposes could be combined, this could allow
the profiling of citizens. On the other hand, if consent were required,
individuals would have autonomy and control over the collection and sharing
of their data.
The Bill does not regulate harm arising from
processing of personal data
The Bill does not regulate risks of harm arising out of
the processing of personal data. The Srikrishna
Committee (2018) observed that harm is a possible
consequence of personal data processing. Harm
may include material losses such as financial loss and
loss of access to benefits or services. It may also
include identity theft, loss of reputation,
discrimination, and unreasonable surveillance and
profiling.4 It had recommended that harms should
be regulated under a data protection law.
Right to data portability and the right to be
forgotten not provided
The Bill does not provide for the right to data
portability and the right to be forgotten. The 2018
Draft Bill and the 2019 Bill introduced in Parliament
provided for these rights. The Joint Parliamentary
Committee, examining the 2019 Bill, recommended
retaining these rights. GDPR also recognizes these
rights. The Srikrishna Committee (2018) observed
that a strong set of rights of data principals is an
essential component of a data protection law. These
rights are based on principles of autonomy,
transparency, and accountability to give individuals
control over their data.
 KEY ISSUES AND ANALYSIS
Shorter appointment term may impact
independence of the Board
The Bill provides that members of the Data
Protection Board of India will function as an
independent body. Members will be appointed for
two years and will be eligible for re-appointment. A
short term with the scope for re-appointment may
affect independent functioning of the Board.
Exemption from notice for consent may not be
appropriate
The Bill empowers the central government to notify
certain data fiduciaries or classes of data fiduciaries
including startups of certain obligations. This must
be done with due regard to the volume and nature
of personal data. One of the obligations which may
be exempted is notice for consent. The requirement
to seek free and informed consent will continue to
apply in the case of these entities. However, if there
is no obligation to provide notice regarding the
nature of the data collected and the purpose of
processing, it may be argued that a data principal
will not be able to provide informed consent.
Definition of child different from other jurisdictions Drafting Issues
While it is an accepted principle that the processing of a child’s data should
be subject to greater protection, there are differences in how different
Lawmakers made errors while drafting the law,
jurisdictions define a child for giving consent for the processing of personal
which could lead to incorrect interpretation.
data. Under the Bill, a child has been defined as a person below 18 years of
For example: Clause 27 (1) (e) refers to the sub-
age. The Srikrishna Committee (2018) recommended that while determining
section (2) of Clause 36, however, Clause 36 does
the age of consent for children, certain factors should be considered. These
not have any sub-sections.
include: (i) a minimum age of 13 and a maximum age of 18, and (ii) a single
threshold for ensuring practical implementation.4 It also observed that 18
years may be too high from the perspective of the full autonomous
development of a child.4 However, to be consistent with the existing legal
framework, the age of consent should be 18 years. Under the Indian
Contract Act,1872, the minimum age to sign a contract is 18.
Taking verifiable parental consent may require Lack of clarity on what constitutes detrimental
verification of everyone’s age on digital platforms to well-being of a child
The Bill requires all data fiduciaries to obtain verifiable consent from the
legal guardian before processing the personal data of a child. To comply The Bill provides that the data fiduciary will not
with this provision, every data fiduciary will have to verify the age of undertake any processing which has a detrimental
everyone signing up for its services. It will be needed to determine whether effect on well-being of the child. The Bill has not
the person is a child, and thereby obtain consent from their legal guardian. defined detrimental effects. It has also not provided
This may help avoid instances of children giving false declarations. However, any guidance for determining such an effect.
this may reduce anonymity in the digital sphere.
Lessons from Others’ Shortcomings
China Personal Information Protection Law (PIPL) EU’s General Data Protection Regulation (GDPR)

Shortcomings Shortcomings

Unlike other countries, the PIPL has no derogation provisions for The GDPR's provisions are often vague and difficult to interpret by
No derogation provisions Vague provisions
cross-border transfer. corporate.

The PIPL lacks provisions for data protection by design and by Data brokers are still stockpiling and selling information, which
No privacy by design Data brokers
default. eventually defeats purpose of the law.

The PIPL requires businesses and government agencies to obtain GDPR didn't impose substantial fines on big tech, most of which
No clear consent form individual consent before processing personal information, but the Fines on big tech continues to persist in conducting extensive online surveillance on a
required form and method of that consent is not clear. huge scale, evading significant consequences.

The PIPL exempts businesses and government agencies from A large and increasing pile of filings are still unresolved, some of
Exemptions Unresolved filings
obtaining individual consent when there is a “statutory basis”. which date back to the day GDPR was launched.

Learnings Learnings

➢ Over 290,000 multinational corporations are active in India, and the diplomatic
dynamics of India differ significantly from those of China. Consequently, it is crucial for
India to establish derogation provisions to uphold harmony with the legal frameworks
of partner nations.
➢ While the Chinese political system may afford less privacy, India must prioritize
safeguarding the privacy of its citizens.
➢ The formulation of clear and robust laws is essential, as ambiguous consent forms
could potentially create loopholes with implications for the public.
➢ In contrast to China, India should only permit exemptions in cases of national security
and should avoid unnecessary scrutiny of data.
➢ India must precisely articulate its laws, aiming for comprehensive coverage, as
overlooking certain aspects could result in loopholes and potential abuse of power by
major corporations in the future.
➢ Establishing a robust security check system is imperative to counteract existing data
brokers who might retain and sell data, necessitating a thorough data auditing process.
➢ Implementing fines based on the size of firms can serve as a deterrent, preventing
large corporations from abusing their influence.
➢ India should institute an effective mechanism from the outset to prevent the
accumulation of filings in the future, thereby averting the development of bureaucratic
red tape.
SUGGESTED CHANGES
Compliance Burden
The act’s regulations may place a
significant burden on businesses,
particularly small and medium-sized
enterprises (SMEs).
Modification
The government can streamline
data reporting for companies by
creating standardized guidelines
and deploying automated systems.
Data Localization
and Cross-Border
Data Flows
The act’s approach to data localization is a
point of contention. While localization can
enhance data protection and security, it
may also disrupt cross-border data flows,
impacting global businesses that rely on
efficient data transfers.
Freedom of Expression
The review of the "safe harbour" principle
for online platforms could potentially
impact freedom of expression. Ensuring
that the act doesn't curb this fundamental
right is a delicate task.
Modification
To ensure freedom of expression,
firms should have the right to
access data audits and ensure
transparency from the government.
All while maintaining secrecy of
data.
Modification
India hosts more than 290,000
multinational corporations (MNCs), all of
which need to transfer data across
borders. This underscores the importance
of harmonizing our digital laws with those
of other countries.
Proper Infrastructure
Effective enforcement of the DIA will
require substantial resources, expertise,
and infrastructure. Investing in these areas
will be crucial.
Modification
Data privacy is crucial, and the
government must develop a robust
cybersecurity system to ensure data
confidentiality.
This also implies that the government
should establish a system for monitoring
the flow of data leaving India. To achieve
this, the government should consider
forming organizations similar to customs
agencies to oversee data transfers.
Privacy Concerns
Critics argue that certain provisions of the
act may grant excessive surveillance
powers to the government, potentially
compromising privacy rights.
Modification
To prevent abuse of power by the
government, India could establish
an independent organization like
CCI to monitor its actions.
India needs to set up contractual clauses
that can be used to ensure that personal
data transferred to a third country is
adequately protected, covering a wide
range of topics, including data security,
and data subjects' rights.
 SUGGESTED INFRASTRUCTURE
National Cybersecurity
Strategy
Security Information Sharing
Cybersecurity Awareness and
Education
National Computer
Emergency Response Team
Critical Infrastructure
Protection
Incident Response Plans
Secure Government Networks
Develop a comprehensive national cybersecurity strategy
that outlines the government's approach to securing critical
infrastructure, protecting sensitive information, and
responding to cyber threats.DIGITAL ACT
Create mechanisms for sharing cybersecurity threat
intelligence and information between government agencies,
private sector organizations, and international partners.
Promote cybersecurity awareness and education campaigns
to educate citizens, businesses, and government employees
about best practices and threats.
Establish a national CERT or CSIRT (Computer Security
Incident Response Team) to coordinate responses to cyber
incidents and provide guidance to other government
agencies and organizations.
Identify and designate critical infrastructure sectors and
work with organizations in these sectors to enhance their
cybersecurity resilience.
Develop and test incident response plans to ensure a
coordinated and effective response to cyber incidents,
including data breaches and cyberattacks.
Secure government IT systems and networks through
measures such as firewalls, intrusion detection and
prevention systems, and data encryption.
Ensure that government agencies comply with relevant
cybersecurity standards, such as NIST Cybersecurity Regulatory Compliance
Framework, to protect government data and systems.
Pay attention to the security of open-source software used Open Source Software
in government systems and encourage secure coding
practices. Security
If using cloud services, ensure the security of government
data stored in the cloud by following best practices and Secure Cloud Adoption
compliance standards.
Collaborate with other nations and international
organizations to address global cyber threats and promote International Collaboration
international norms and agreements.
Regularly audit and conduct penetration tests on Security Audits and
government systems to identify and address vulnerabilities.
Penetration Testing
Invest in training and developing a skilled cybersecurity Cybersecurity Workforce
workforce within government agencies.
Development
Ensure the security of emergency communication systems, Emergency Communication
such as 911 services, to maintain their availability during
crises. Systems
Communicating Law to Public
Awareness
Campaigns
Launch comprehensive campaigns
through various media channels,
including television, and social media,
to disseminate information.
Community
Engagement
Organize community events and town
hall meetings to address specific
concerns and answer questions
related to digital laws.
Printed
Materials
Distribute pamphlets, brochures, and
posters to reach individuals who may
not have easy access to online
resources.
Community
Ambassadors
Recruit and train individuals from
different communities to act as
ambassadors for digital law
education.
Online
Platforms
Develop user-friendly websites
and online platforms dedicated to
educating the public about digital
laws in India.
Legal Clinics
and Helplines
Establish legal clinics or helplines
where people can seek advice and
clarification regarding digital laws.
Literacy
Initiatives
Integrate digital law education
into broader digital literacy
initiatives to ensure that people
understand data privacy.
Continuous
Updates
Establish a system to provide
regular updates on changes or
additions to digital laws, ensuring
that the public remains informed.
Mobile Apps
& Websites
Create mobile apps that offer
concise information, updates, and
resources related to digital laws.
Partnerships
with NGOs
Collaborate with non-
governmental organizations
(NGOs) to reach marginalized or
underserved communities.
Student
Competitions
Organize competitions,
hackathons, or projects in schools
and colleges that focus on creating
awareness about digital laws.
Online
Courses
Develop and promote online
courses, making it convenient for
individuals to enhance their
knowledge at their own pace.
Workshops and
Seminars
Conduct workshops and seminars
in schools, colleges, and
community centres.
Interactive
Podcasts
Host podcasts featuring experts,
fostering interactive discussions
and addressing common
misconceptions.
Industry
Partnerships
Collaborate with technology
companies, ISPs, and other
stakeholders to promote
responsible digital behaviour.
Feedback
Mechanism
Implement a feedback mechanism
through surveys or online forms
to understand the effectiveness of
initiatives.
Collaborate with
Institutions
Partner with schools, colleges,
and universities to integrate
digital law education into the
curriculum.
Gamification of
Education
Develop educational games and
quizzes that make learning about
digital laws engaging and
entertaining.
Multilingual
Resources
Translate educational materials
into regional languages to ensure
accessibility for diverse linguistic
communities across India.
Crisis Response
Plan
Educate the public about what to
do in case of a digital security
breach or violation, providing a
step-by-step crisis response plan.
THANK
YOU