The Digital Personal Data Protection Bill, 2023

iasparliament Logo
August 09, 2023

Why in news?

Recently, Lok Sabha passed the Data Protection Bill, India’s 2nd attempt in framing a privacy legislation.


What is the history of Data Protection Bill?

India does not have a standalone law on data protection. Use of personal data is regulated under the Information Technology (IT) Act, 2000.

  • In 2017, the central government constituted the B.N.Srikrishna Committee to examine issues relating to data protection in the country.
  • Based on the recommendation of the Committee, the Personal Data Protection Bill, 2019 was introduced in Lok Sabha.
  • It is formulated based on the data regulation of European Union (General Data Protection Regulation (GDPR)) which empower citizens to have a greater say in how their online data is used.


What are the key features of the bill?

Personal data is defined as any data about an individual who is identifiable by or in relation to such data.

  • Applicability- The Bill applies to the processing of digital personal data within India where such data is
    • Collected online, or
    • Collected offline and is digitised. 
  • It will also apply to the processing of personal data outside India if it is for offering goods or services in India.   
  • Consent- Personal data may be processed only for a lawful purpose after obtaining the consent of the individual.
  • For individuals below 18 years of age, consent will be provided by the parent or the legal guardian.
  • Consent may be withdrawn at any point in time.
  • Rights of data principal- Data principal is an individual whose data is being processed. He/She will have the right
    • To obtain information about processing
    • To seek correction and erasure of personal data
    • To nominate another person to exercise rights in the event of death or incapacity and
    • Grievance redressal
  • Duties of Data Principals- Data Principals must not
    • Register a false or frivolous complaint
    • Furnish any false particulars or impersonate another person in specified cases
    • Violation of duties will be punishable with a penalty of up to Rs 10,000.
  • Obligations of data fiduciaries- Data fiduciary is the entity determining the purpose and means of processing.
  • Data fudiciary must
    • Make reasonable efforts to ensure the accuracy and completeness of data
    • Build reasonable security safeguards to prevent a data breach
    • Inform the Data Protection Board of India and affected persons in the event of a breach
    • Erase personal data as soon as the purpose has been met and retention is not necessary for legal purposes
  • In case of government entities, storage limitation and the right of the data principal to erasure will not apply.
  • Personal data outside India- It allows transfer of personal data outside India, except to countries restricted by the central government through notification. 
  • Exemptions- Rights of the data principal and obligations of data fiduciaries will not apply in specified cases such as
    • Prevention and investigation of offences
    • Enforcement of legal rights or claims
  • The Central government may exempt certain activities
    • In the interest of the security of the state and public order
    • Research, archiving, or statistical purposes
  • Data Protection Board of India- It will be established by the Central Government. Key functions of the Board include
    • Monitoring compliance and imposing penalties
    • Directing data fiduciaries to take necessary measures in the event of a data breach
    • Grievance redressal
  • Appeal- The decisions of the board can be appealed to Telecom Dispute Settlement and Appellate Tribunal.



Rs 200 crore

Non fulfilment of obligations for children

Rs 250 crore

Failure to take security measures to prevent data breaches.

What is the significance of the bill?

  • Multi-pronged approach - This framework encompasses various legislative measures such as the
    • Digital India bill that would replace existing Information Technology Act, 2000,
    •  Draft Indian Telecommunication Bill, 2022, and
    •  Policy addressing the governance of non-personal data.
  • Privacy - It will enhance the privacy cognizance of Indian citizens through transformative accountability measures to be adopted by enterprises.
  • Compliance- It is due to robust protection and security measures, combined with effective privacy policies and grievance redressal mechanisms
  • Data breach- Multiple exemptions were provided to prevent data breaches such as the
    • privacy breach in CoWIN portal where the personal details of vaccinated users had been leaked on Telegram.
    • 12,000 confidential records of State Bank of India employees were reportedly made public on Telegram.

According to data from the United Nations Conference on Trade and Development, 137 out of 194 countries have put in place legislation to secure the protection of data and privacy.

What are the issues with the bill?

  • Article 21- It violates the fundamental right to privacy because of the exemptions provided to the State on grounds such as national security.  
  • Regulation- The Bill does not regulate risks of harms arising from processing of personal data. 
  • Rights - The Bill does not grant the right to data portability and the right to be forgotten to the data principal.

Right to data portability- The right to data portability allows data principals to obtain and transfer their data from data fiduciary.

  • It is obtained for their own use, in a structured, commonly used, and machine-readable format.
  • It gives the data principal greater control over their data.

Right to be forgotten- It refers to the right of individuals to limit the disclosure of their personal data on the internet.

  • Personal data outside India- This mechanism may not ensure adequate evaluation of data protection standards in the countries where transfer of personal data is allowed.
  • Independence - The short term (2 years) of the members of the Data Protection Board of India with scope for re-appointment may affect the independent functioning of the Board.
  • Multiple exemptions- Exemptions citing national security etc., resemble China’s data regulation.
  • Right to Information (RTI) Act- The personal data of government functionaries is protected making it difficult to be shared with an RTI applicant.
  • No compensation - Section 43A of IT Act,2000 imposes an obligation on corporates to award damages to affected persons in case of negligent handling of their sensitive data. However, the Bill excludes the application of Section 43A.

Models for data protection laws

  • European Union Model- The GDPR focuses on a comprehensive data protection law for the processing of personal data
  • Right to privacy is enshrined as a fundamental right that seeks to protect an individual’s dignity and her right over the data that she generates.
  • Digital Services Act focuses on issues such as regulating hate speech, counterfeit goods etc.
  • Digital Markets Act has defined a new category of “dominant gatekeeper” platforms and is focused on non-competitive practices and the abuse of dominance by these players.
  • The US Model- Privacy protection is largely defined as a “liberty protection” which is focused on the protection of the individual’s personal space from the government.
  • There is no comprehensive set of privacy rights or principles that collectively address the use, collection and disclosure of data in the US.
  • China model- The Personal Information Protection Law (PIPL), gives data principals, the right to prevent the misuse of personal data.
  • Data Security Law requires business data to be categorised by different levels of importance and puts new restrictions on cross-border transfers.
  • It gives the government overreaching powers to both collect data and regulate private companies that collect and process information.
  • Businesses may also be required to suspend operations until they demonstrate compliance.
  • India too, has introduced a similar provision, where any platform that has violated its norms for at least 2 times can be blocked by the Central government.


What lies ahead?

  • Data is new oil. It is the currency of the digital age and processing of personal data is the pivot around which today’s digital economies revolve.
  • Hence proper regulation and guidelines by the Government to enhance the data security is need of the hour.



  1. Indian Express- Data protection bill provisions and criticisms
  2. The Hindu- Explained What is data protection bill
  3. PRS- Bill highlights and legislative brief
Login or Register to Post Comments
There are no reviews yet. Be the first one to review.



Free UPSC Interview Guidance Programme