Digital Personal Data Protection Bill

2023

Digital Personal Data Protection Bill 2023: The Digital Personal Data Protection Bill
aims to regulate the processing of digital personal data in India. The Digital Personal
Data Protection Act, 2023 (DPDP Act) came into effect on 11th August 2023. It applies
to both online and offline data collection and processing, including activities outside
India if they involve offering goods or services in India.

Digital Personal Data Protection Bill 2023: Consent and Legitimate

Uses:
– Personal data can be processed only for lawful purposes with the individual’s consent,
except for specified legitimate uses.
– Legitimate uses include voluntary data sharing, processing by the State for licenses
and benefits, and medical emergencies.
– Consent is not required for government-provided benefits, and individuals below 18
need parental/guardian consent.
Digital Personal Data Protection Bill 2023: Rights and Duties
– Individuals (data principals) have rights to information, correction, erasure, and
grievance redressal.
– Data fiduciaries must ensure data accuracy, security, and deletion when no longer
needed.
Digital Personal Data Protection Bill 2023: Transfer of Data
– Personal data can be transferred outside India, except to countries restricted by the
government.
– Exemptions apply to data processing by the State for national security and public
order.
Digital Personal Data Protection Bill 2023: Data Protection Board:
– The Data Protection Board of India is established to oversee compliance, impose
penalties, and handle grievances.
– Board members serve a two-year term and can be re-appointed.
Digital Personal Data Protection Bill 2023: Key Issues and Analysis:

On August 3, 2023, the Indian Government introduced the Digital Personal Data
Protection Bill, 2023 (DPDP Bill) in the Indian Parliament. This marks the fifth version of
personal data protection legislation and appears to draw from the draft Bill titled Digital
Personal Data Protection Bill, 2022, released by the Ministry of Electronics and
Information Technology on November 18, 2022, which underwent public consultations.
The DPDP Bill specifically addresses digital personal data and does not encompass
non-personal data. Its enactment will replace Section 43A of the Information
Technology Act, 2000 (IT Act), as well as the Information Technology (Reasonable
Security Practices and Procedures and Sensitive Personal Data of Information) Rules,
2011 (SPDI Rules).

Digital Personal Data Protection Bill 2023 Applicability

 The DPDP Bill exclusively pertains to digital personal data, which includes data
collected in digital form or data that is digitized after collection.
 It applies to digital personal data processed outside India if related to offering
goods or services to data principals (data subjects) in India.
 The DPDP Bill does not extend to: (i) personal data processed for personal or
domestic purposes; or (ii) personal data made publicly available by the data
principal or under legal obligation.
Data Protection Principles:
 The DPDP Bill encompasses essential principles:

o Personal data must be processed solely for a lawful purpose, with the data
principal’s consent and in compliance with the DPDP Bill.
o Only necessary personal data should be collected.
Uniform Treatment of Personal Data:
 The DPDP Bill treats all forms of personal data uniformly and does not
differentiate between categories like sensitive or critical personal data.
Consequently, the requirements apply equally to all types of personal data,
departing from the SPDI Rules that distinguish between ‘personal information’
and ‘sensitive personal data or information’.
Consent and Notice:
 Consent forms the basis for personal data processing and must be explicit,
informed, unconditional, and unambiguous, obtained through affirmative action.
 Data principals can withdraw consent easily without affecting prior lawful
processing.
 Notices must inform data principals of their rights, personal data details,
purposes of processing, and methods for exercising rights.
Obligations of Data Fiduciaries:
 Data fiduciaries are accountable for DPDP Bill compliance, even when personal
data is processed by data processors on their behalf.
 When data fiduciaries process personal data likely to impact the data principal,
accuracy and completeness must be ensured.
 Personal data must be deleted when consent is withdrawn or the purpose is no
longer relevant, except when retention is legally required.
Notification of Personal Data Breach:
 Data fiduciaries must inform the DPB (Data Protection Board) and affected data
principals of personal data breaches.
Cross-Border Data Transfer:
 Data fiduciaries can transfer personal data abroad, except to countries restricted
by the Central Government.
 If another law provides more protection or imposes restrictions on cross-border
data transfer, that law prevails.
Significant Data Fiduciaries:
 Significant data fiduciaries, identified by the Central Government, face additional
obligations like appointing a data protection officer and data auditor.
Data of Children and Persons with Disabilities:
 Processing children’s data requires parental consent. Behavioral monitoring and
targeted advertising of children are prohibited.
 The Central Government can exempt certain data fiduciaries and processing
purposes from parental consent and monitoring prohibition.
Rights of Data Principals:
 Data principals have rights to access their data, correct it, and nominate
someone to exercise rights on their behalf after their death or incapacitation.
Data Protection Board of India (DPB):
 The DPB enforces the DPDP Bill, with authority to impose penalties, inquire into
breaches, and issue orders.
 Appeals against DPB orders can be made to the TDSAT and, subsequently, the
Supreme Court.
Power to Call for Information and Block Access:
 The Central Government can seek information from the DPB, data fiduciaries, or
intermediaries.
 In cases of repeated penalties and public interest, the Central Government can
block access to information.
Penalties:
 Monetary penalties up to INR 250 crores may be imposed by the DPB based on
breach severity.
 No compensation is provided for compromised personal data.
 Data principals may be penalized up to INR 10,000 for certain breaches of
duties.
Voluntary Undertaking:
 The DPB can accept voluntary undertakings from those facing non-compliance
actions under the law.
Exemptions:
 Provisions may be exempted for specific purposes and instrumentalities of the
State or enforcement of legal rights.
 Data fiduciaries, including startups, can be exempted from certain obligations.

FAQ 1. What is the Digital Personal Data Protection Act (DPDP Act)?

The DPDP Act is a legal framework introduced in India to safeguard the personal data of
individuals and ensure that their data is shared only with their consent. It regulates the processing
of digital personal data and outlines various provisions to protect individuals’ privacy in the
digital age.

FAQ 2. How was the DPDP Act developed and passed in India?

The DPDP Act was introduced in August 2023 after several stages of development and
legislative processes. It evolved from the 2017 Committee of Experts on Data Protection’s
recommendations, which led to the introduction of the Personal Data Protection Act in 2019.
After several iterations and consultations, the Digital Personal Data Protection Act, 2023, was
introduced and subsequently passed by both the Lok Sabha and the Rajya Sabha. Later on, the
Hon’ble President has given assent to the new Digital Personal Data Protect Act, 2023 on 11th
Aug, 2023 and it become effective from 11th Aug, 2023.

FAQ 3. What is the conceptual basis of the DPDP Act?

The conceptual basis of the DPDP Act is the report of the Expert Committee set up under the
chairmanship of Justice BN Srikrishna titled “A Free and Fair Digital Economy Protecting
Privacy, Empowering Indians”

FAQ 4. What are the principles on which the DPDP Act is based on?

The DPDP Act is based on the following Seven principles:

1. The principle of consented, lawful and transparent use of personal data;

2. The principle of purpose limitation (use of personal data only for the purpose specified at the time
of obtaining consent of the Data Principal);
3. The principle of data minimisation (collection of only as much personal data as is necessary to
serve the specified purpose);
4. The principle of data accuracy (ensuring data is correct and updated);
5. The principle of storage limitation (storing data only till it is needed for the specified purpose);
6. The principle of reasonable security safeguards; and
7. The principle of accountability (through adjudication of data breaches and breaches of the
provisions of the DPDP Act and imposition of penalties for the breaches).
FAQ 5. What are the current Acts governing data protection in India?

Before the introduction of the DPDP Act, India does not have a standalone Act on data
protection. The use of personal data was regulated under the Information Technology (IT) Act,
2000.

FAQ 6. Whom does the DPDP Act apply to?

The DPDP Act applies to the processing of digital personal data within India, whether collected
online or offline and digitized later on. It also extends its applicability to data processing
conducted outside India if it involves offering goods or services within India.

FAQ 7. Whether the DPDP Act applies to the data collected offline?

If the data is collected offline and digitised later on it shall apply to that data also. However, the
offline personal data which is not digitised is kept out of the ambit of this Act.

FAQ 8. What are the circumstances when DPDP Act shall not apply?

The DPDP Act shall not apply in the following cases:

(a) Personal data processed by an individual for any personal or domestic purpose.

(b) Personal data that is made or caused to be made publicly available by the person himself
(Data Principal) to whom such personal data relates or any other person who is under an
obligation under any law for the time being in force in India to make such personal data publicly
available.

FAQ 9. Can personal data be used for any purpose under the DPDP Act?

No, personal data can only be used for the specific purpose for which consent was given.
Consent must be free, specific, informed, unconditional, and unambiguous, and it is limited to
the personal data necessary for the specified purpose. Any part of consent that violates the
provisions of the Act or other applicable Acts will be considered invalid.

FAQ 10. Under what grounds can personal data be possessed?

Personal data can be possessed if it is retained for a lawful purpose and with the consent of the
data principal.

FAQ 11. In case of a conflict between a provision of this Act and a provision of any other law
currently in effect, what will be the outcome?

The provisions of this Act shall be in addition to and not in derogation of any other law for the
time being in force. When a conflict arises between a provision of this Act and any provision of
another law currently in force, the provision of this Act will take precedence to the extent of that
conflict. This ensures that the rules and principles established in this Act hold sway in situations
where there might be inconsistency with other existing laws.

3. Key Definitions
FAQ 15. What amounts to “Personal Data”?

Personal Data is defined as any data about an individual who is identifiable by or in relation to
such data.

FAQ 16. What amount to a personal data breach?

“Personal data breach” means any unauthorised processing of personal data or accidental
disclosure, acquisition, sharing, use, alteration, destruction or loss of access to personal data that
compromise confidentiality, integrity or availability of personal data.

FAQ 17. Who is a “Data Principal”?

“Data Principal” means the individual to whom the personal data relates and where such
individual is—

(i) a child, including the parents or lawful guardian of such a child

(ii) a person with a disability, including her lawful guardian, acting on her

FAQ 18. Who is a “Data Fiduciary”?

Data fiduciary means any person who alone or in conjunction with other persons determines the
purpose and means of processing of personal data.

FAQ 19. Who is a significant data fiduciary?

“Significant Data Fiduciary” means any Data Fiduciary or class of Data Fiduciaries as may be
notified by the Central Government under Section 10.

FAQ 20. What is the meaning of the term ‘person’ under the Act?

As per Section 2(s) of the Act, (s) “person” includes—

(a) an individual;

(b) a Hindu undivided family;

(c) a company;

(d) a firm;
(e) an association of persons or a body of individuals, whether

(f) incorporated or not;

(g) the State; and

(h) every artificial juristic person, not falling within any of the preceding sub-clauses.

4. Cross-Border Sharing of Personal Data

FAQ 21. ABC Corp is a well-known international social media platform that allows users to
connect, share content, and communicate with each other. While headquartered outside of India,
ABC Corp has a substantial user base in India and offers its services to Indian citizens. Users in
India create profiles, share personal information, and engage in various activities on the platform.
Whether their data processing activities fall within the scope of the DPDP Act?

Yes, it will also apply to the processing of data outside India if it is for offering goods or services
in India.

FAQ 22. Can data be transferred outside India under the DPDP Act?

Yes, data transfers outside India are allowed under the DPDP Act, but they must adhere to
specific requirements, including obtaining explicit consent from the data principal and ensuring
that the recipient country offers an adequate level of data protection. However, it restricts the
transfer of personal data by a Data Fiduciary for processing to such country or territory outside
India as may be so notified.

FAQ 23. Is it permissible for my organization to move personal data beyond the borders of India?

Yes, subject to certain conditions. Under clause 16 of the Act, the Central Government has the
authority to limit the transfer of personal data by a Data Fiduciary to a foreign country or
territory as may be notified. However, this clause doesn’t prevent any existing Indian law that
offers greater protection or restrictions on such transfers from applying, whether for specific data
or certain Data Fiduciaries.

FAQ 24. Do the regulations outlined in the DPDPB apply to my offshore online platform that offers
services to individuals in India?

The DPDPB’s provisions predominantly pertain to the handling of personal data within India’s
jurisdiction. In the case of organizations operating outside India, the DPDPB applies to a limited
extent—specifically, when such an organization processes the personal data of Indian data
subjects to provide goods or services.

In practical terms, if your offshore online platform offers goods or services to users in India and
processes their personal data for the purpose of delivering these offerings, you would qualify as a
 data fiduciary under the DPDPB. Consequently, you would be required to adhere to the
stipulated obligations as outlined in the regulation.

Chat GPT 4(Information Below may contain Errors)

The Digital Personal Data Protection Act, 2023 (DPDP Act) is an important legislation
proposed by the Ministry of Electronics and Information Technology, Government
of India. Its primary objective is to protect the rights and freedoms of individuals
concerning their personal data in the digital realm. Here are some key points about the
DPDP Act:
1. Purpose and Scope:
o The DPDP Act aims to regulate the processing of digital personal data.
o It recognizes both the right of individuals to safeguard their personal data and the need
to process such data for lawful purposes.
2. Data Protection Board:
o The Act establishes the Data Protection Board of India.
o This board plays a crucial role in overseeing data protection matters.
3. Rights and Duties:
o The DPDP Act outlines the rights and duties of both organizations and individuals.
o It emphasizes the importance of balancing privacy rights with legitimate data processing
needs.
4. Significant Data Fiduciaries (SDFs):
o The Act defines the responsibilities of Significant Data Fiduciaries.
o These are entities that handle large volumes of personal data.

Now, let’s create a few multiple-choice questions (MCQs) based on this information:
1. MCQ 1:
o Question: What is the primary purpose of the Digital Personal Data Protection Act,
2023?
o Options:
 A. To regulate digital communication
 B. To protect personal data in the digital domain
 C. To promote e-commerce
 D. To monitor social media usage
o Answer: B. To protect personal data in the digital domain
2. MCQ 2:
o Question: Which body oversees data protection matters under the DPDP Act?
o Options:
 A. Data Protection Board of India
 B. Ministry of Electronics and Information Technology
 C. Cyber Security Agency
 D. National Privacy Commission
o Answer: A. Data Protection Board of India
3. MCQ 3:
o Question: Who are considered Significant Data Fiduciaries under the DPDP Act?
o Options:
 A. Individuals who handle personal data
 B. Small businesses
 C. Entities dealing with large volumes of personal data
 D. Government agencies
o Answer: C. Entities dealing with large volumes of personal data
4. MCQ 4:
o Question: What is the primary objective of the DPDP Act?
o Options:
 A. To regulate social media platforms
 B. To protect individuals’ rights regarding their personal data in the
digital context
 C. To promote data sharing among organizations
 D. To monitor internet usage
o Answer: B. To protect individuals’ rights regarding their personal data in the digital
context
5. MCQ 5:
o Question: Which authority oversees data protection matters under the DPDP Act?
o Options:
 A. Ministry of Digital Affairs
 B. Data Protection Board of India
 C. Cybersecurity and Privacy Commission
 D. National Data Security Agency
o Answer: B. Data Protection Board of India
6. MCQ 6:
o Question: What are Significant Data Fiduciaries (SDFs) under the DPDP Act?
o Options:
 A. Individuals who handle personal data for personal use
 B. Entities that process data for research purposes
 C. Organizations dealing with large volumes of personal data
  D. Government agencies responsible for data security
o Answer: C. Organizations dealing with large volumes of personal data
7. MCQ 7:
o Question: What rights do individuals have under the DPDP Act?
o Options:
 A. The right to share personal data freely
 B. The right to access and correct their personal data
 C. The right to sell personal data
 D. The right to use personal data without consent
o Answer: B. The right to access and correct their personal data
8. MCQ 8:
o Question: Which type of organizations are required to appoint a Data Protection Officer
(DPO) under the DPDP Act?
o Options:
 A. All organizations, regardless of size
 B. Only government agencies
 C. Organizations processing sensitive personal data
 D. Small businesses with fewer than 10 employees
o Answer: C. Organizations processing sensitive personal data
9. MCQ 9:
o Question: What penalties can be imposed for non-compliance with the DPDP Act?
o Options:
 A. Verbal warning
 B. Monetary fines
 C. Community service
 D. Public apology
o Answer: B. Monetary fines
10. MCQ 10:
o Question: Which principle emphasizes that personal data should be processed only for
specific, legitimate purposes?
o Options:
 A. Data minimization
 B. Purpose limitation
 C. Data accuracy
 D. Consent
o Answer: B. Purpose limitation
11. MCQ 11:
o Question: What is the role of the Data Protection Board of India?
o Options:
 A. To enforce cybersecurity regulations
  B. To promote data sharing
 C. To oversee data protection matters
 D. To develop data privacy apps
o Answer: C. To oversee data protection matters
12. MCQ 12:
o Question: What does the DPDP Act define as “personal data”?
o Options:
 A. Any data stored on a personal computer
 B. Information related to an individual that can identify them
 C. Data shared on social media platforms
 D. Data collected by government agencies
o Answer: B. Information related to an individual that can identify them
13. MCQ 13:
o Question: Which principle emphasizes that personal data should be accurate and up-to-
date?
o Options:
 A. Data minimization
 B. Data accuracy
 C. Purpose limitation
 D. Consent
o Answer: B. Data accuracy
14. MCQ 14:
o Question: Under the DPDP Act, what constitutes valid consent for processing personal
data?
o Options:
 A. Silence or inaction by the individual
 B. Explicit and informed consent
 C. Consent obtained only from minors
 D. Consent given verbally
o Answer: B. Explicit and informed consent
15. MCQ 15:
o Question: Which entity is responsible for enforcing the DPDP Act and imposing
penalties?
o Options:
 A. Data Protection Board of India
 B. Ministry of Digital Affairs
 C. Cybersecurity and Privacy Commission
 D. National Data Security Agency
o Answer: A. Data Protection Board of India
16. MCQ 16:
o Question: What is the purpose of data anonymization under the DPDP Act?
o Options:
 A. To make data more valuable for marketing purposes
 B. To protect individuals’ privacy by removing identifying information
 C. To increase data storage efficiency
 D. To share data with third parties
o Answer: B. To protect individuals’ privacy by removing identifying information
17. MCQ 17:
o Question: Which category of personal data is considered sensitive under the DPDP Act?
o Options:
 A. Name and address
 B. Financial transaction history
 C. Biometric data and health records
 D. Social media posts
o Answer: C. Biometric data and health records
18. MCQ 18:
o Question: What is the role of a Data Protection Officer (DPO) in an organization?
o Options:
 A. To develop data security software
 B. To oversee data protection compliance
 C. To manage social media accounts
 D. To conduct market research
o Answer: B. To oversee data protection compliance
19. MCQ 19:
o Question: Which principle requires organizations to retain personal data only for as
long as necessary?
o Options:
 A. Data minimization
 B. Purpose limitation
 C. Data retention
 D. Consent
o Answer: B. Purpose limitation
20. MCQ 20:
o Question: What rights do individuals have regarding the erasure of their personal data?
o Options:
 A. The right to access their data
 B. The right to rectify inaccurate data
 C. The right to be forgotten
 D. The right to share their data publicly
o Answer: C. The right to be forgotten
 21. MCQ 21:
o Question: Which legal basis allows organizations to process personal data without
explicit consent?
o Options:
 A. Legitimate interest
 B. Data accuracy
 C. Purpose limitation
 D. Data minimization
o Answer: A. Legitimate interest
22. MCQ 22:
o Question: What steps should organizations take to ensure data security under the DPDP
Act?
o Options:
 A. Encrypt all data
 B. Share data with third parties
 C. Conduct regular data audits
 D. Store data indefinitely
o Answer: C. Conduct regular data audits
23. MCQ 23:
o Question: Which penalties can be imposed for unauthorized data processing?
o Options:
 A. Verbal warning
 B. Monetary fines
 C. Community service
 D. Public apology
o Answer: B. Monetary fines
24. MCQ 24:
o Question: What is the maximum penalty for non-compliance with the DPDP Act?
o Options:
 A. ₹1 crore
 B. ₹10 crore
 C. ₹50 crore
 D. ₹250 crore
o Answer: D. ₹250 crore
25. MCQ 25:
o Question: Which entity is responsible for promoting awareness about data protection
rights?
o Options:
 A. Data Protection Board of India
 B. Ministry of Digital Affairs
  C. Cybersecurity and Privacy Commission
 D. National Data Security Agency
o Answer: A. Data Protection Board of India
26. MCQ 26:
o Question: What is the purpose of a Data Protection Impact Assessment (DPIA) under
the DPDP Act?
o Options:
 A. To assess the impact of data breaches
 B. To evaluate the risks of data processing activities
 C. To promote data sharing
 D. To create data backups
o Answer: B. To evaluate the risks of data processing activities
27. MCQ 27:
o Question: Which category of personal data is considered non-sensitive under the DPDP
Act?
o Options:
 A. Name and address
 B. Biometric data
 C. Health records
 D. Financial transaction history
o Answer: A. Name and address