Rajya Sabha passes Digital Personal Data Protection Bill, 2023

New Delhi [India], August 9 : The Rajya Sabha on Wednesday passed the Digital Personal Data Protection Bill, 2023 which seeks to set out requirements for firms collecting data online, with exceptions for the government and law enforcement agencies.
It also lays down the obligations of entities handling and processing data as well as the rights of individuals.
The Bill, which was passed by voice vote in the absence of Opposition leaders who earlier walked out of the House, apply to the processing of digital personal data within India where such data is collected online, or collected offline and is digitised.  It will also apply to such processing outside India, if it is for offering goods or services in India.
The Bill amends the Right to Information Act, 2005 to remove public interest exemptions on disclosing personal information. 
Replying on the Bill, Minister of Electronics and Information Technology Ashwini Vaishnaw informed the House that it provides for the processing of digital personal data in a manner that recognises both the right of individuals to protect their personal data and the need to process such personal data for lawful purposes.
The RTI Act currently allows public authorities to disclose personal information, such as officials’ salaries, when it is in the public interest. The Bill would remove these caveats and completely disallow disclosing personal information.
The Bill, which was passed by the Lok Sabha on August 7, proposes a maximum penalty of Rs 250 crore and minimum of Rs 50 crore on entities violating the norms.
Personal data may be processed only for a lawful purpose upon consent of an individual. Consent may not be required for specified legitimate uses such as voluntary sharing of data by the individual or processing by the State for permits, licenses, benefits, and services.
Data fiduciaries will be obligated to maintain the accuracy of data, keep data secure, and delete data once its purpose has been met.
The Bill grants certain rights to individuals including the right to obtain information, seek correction and erasure, and grievance redressal.
The central government may exempt government agencies from the application of provisions of the Bill in the interest of specified grounds such as security of the state, public order, and prevention of offences.
The central government will establish the Data Protection Board of India to adjudicate on non-compliance with the provisions of the Bill.
The Bill does not regulate risks of harms arising from processing of personal data, and does not grant the right to data portability and the right to be forgotten to the data principal.
The Bill allows transfer of personal data outside India, except to countries notified by the central government.  This mechanism may not ensure adequate evaluation of data protection standards in the countries where transfer of personal data is allowed.
The members of the Data Protection Board of India will be appointed for two years and will be eligible for re-appointment.  The short term with scope for re-appointment may affect the independent functioning of the Board.