The President has given assent to the new the Digital Personal Data Protect, Act 2023 on Friday. The Act will come into force on the date to be notified by Centre.
It is a first law made for processing data and amends various legislations including Right to Information Act and IT Act. It will come into force on such date as the Central Government may announce by notification.
The Bill seeks “to provide for the processing of digital personal data in a manner that recognises both the right of individuals to protect their personal data and the need to process such personal data for lawful purposes.”
It applies to the processing of digital personal data within the territory of India where the personal data is collected in digital form or in non-digital form and digitised subsequently.
It also applies to processing of digital personal data outside the territory of India, if such processing is in connection with any activity related to offering of goods or services “to Data Principals within the territory of India.”
The Bill requires establishment of the Data Protection Board of India by the central government. It will monitor compliance and imposition of penalties, direct data fiduciaries to take necessary measures in the event of a data breach and hear grievances made by affected persons.
Penalties are also provided for various offences such as for non-fulfilment of obligations for children upto Rs 200 crore, and for failure to take security measures to prevent data breaches, upto Rs 250 crore.
The Bill requires that the request for the consent should be accompanied or preceded by a notice to inform the purpose for which the personal data is proposed to be processed.It also grants certain rights to individuals including the right to obtain information, seek correction and erasure, and grievance redressal.
Use Of Personal Data For Certain “Legitimate Use”
A “Data Fiduciary”, means any person who alone or in conjunction with other persons determines the purpose of processing of personal data, can process the personal data for the following purposes.
For the specified purpose for which the person has voluntarily provided her personal data to the Data Fiduciary.
For the performance by the State or any of its instrumentalities of any function under any law for the time being in force in India or in the interest of sovereignty and integrity of India or security of the State.
To provide or issue subsidy, benefit, service, certificate, licence or permit wherein the person has previously consented or available from “any database” maintained by the government as notified by the Central Government.