DPDP Bill, 2023: What Changed from its 2022 Version

Introduction:

The Lok Sabha has passed the Digital Personal Data Protection Bill, making it crucial to comprehend the details of the Bill and the alterations from its previous iteration. This article will delve into a Chapter-wise analysis of the Bill and what modifications it has seen from its previous version.

A comparative analysis of the DPDP Bill 2022 and DPDP Bill 2023:

Chapter-I: Preliminary

Section 2(a) of the DPDP Bill 2023 defines the term ‘Appellate Tribunal.’ Combining Section 2(a) with Section 29 reveals that individuals can file appeals with the Telecom Disputes Settlement and Appellate Tribunal established under Section 14 of the Telecom Regulatory Authority of India Act, 1997. This represents a newly incorporated provision, diverging from the earlier approach where the initial appeal was required to be filed with the High Court.

The definition of ‘data principle’ in Section 2 (j) of the DPDP Bill 2023 is broader than in the previous bill. The 2023 bill offers a comprehensive framework, protecting both children and persons with disabilities, with the involvement of their lawful guardians. However, the 2022 bill’s narrower focus may raise concerns about adequate protection for persons with disabilities and potential gaps in safeguarding their personal information.

In Section 2 (o) of the 2023 bill, the definition of ‘gain’ emphasizes the significance of “legitimate remuneration,” underscoring the need for lawful and ethical financial benefits. Conversely, the earlier version of the bill lacks this specification, similarly impacting the definition of ‘loss.’ The inclusion of “legitimate remuneration” in the current bill aims to promote integrity and ethical practices in financial matters, enhancing the overall clarity and effectiveness of the legislation.

The 2023 bill has altered the definition of the term ‘processing’ under Section-2(x) by introducing the terms “wholly or partly.” Recognizing this explicit modification acknowledges that processing activities may be entirely automated or may involve a combination of automated and manual operations. However, the present bill has omitted certain terms from the definition of the earlier bill, including ‘public interest,’ as defined under Section 2(18) of the 2022 bill.

The new bill modifies the grounds for applicability, removing the reference to ‘profiling,’ which means it won’t apply if processing occurs outside India solely for profiling purposes. Additionally, the bill introduces new grounds for non-applicability, including personal data processed for personal/domestic purposes by an individual and personal data made publicly available by the Data Principal or any person under legal obligation.

Chapter II: Obligation of Data Fiduciary

There have been several modifications under the 2023 bill about the grounds for processing personal data. In the previous bill, the processing of personal data had ‘deemed consent’ as one of the grounds. However, the present bill articulates it as ‘for certain legitimate uses.’ This enables the processing of digital personal data without requiring explicit consent, as the previous designation of “deemed consent” no longer applies.

Section 7 of the DPDP bill 2023 provides that a Data fiduciary can process data when the data principal has given consent for a specified purpose unless the data principal has explicitly indicated that she does not consent to its processing. It also outlines grounds for processing data without explicit consent, with major changes being the exclusion of the ‘public interest’  and the “fair and reasonable purpose” , making the provision more specific and limited in scope.

The DPDP Bill 2023 seems to have a more restricted scope for data processing on behalf of Data Fiduciaries compared to the provisions in the DPDP Bill 2022. In this version of the bill [Section-8(2)], the delegation power of data processors has been eliminated, and they are not permitted to transfer data to another data processor. Furthermore, Section 8 (4) of the 2022 bill places an obligation on both Data Fiduciaries and Data Processors to protect personal data in their possession or control by implementing reasonable security safeguards to prevent data breaches. However, In DPDP Bill 2023 [Section-8(5)], the requirement is specifically on Data Fiduciaries to protect personal data in their possession or control, including any processing carried out by them or on their behalf by a Data Processor, using reasonable security safeguards to prevent data breaches.

The DPDP Bill 2023 introduces significant changes compared to the 2022 version regarding ‘the processing of children’s data.’ It expands the scope to include persons with disabilities who have lawful guardians, requiring the verifiable consent of the parent or lawful guardian before processing their data. Additionally, it explicitly prohibits data processing that could have any detrimental effect on a child’s well-being. The 2023 bill features a provision that grants the Central Government the authority to exempt certain Data Fiduciaries from specific obligations based on verifiably safe data processing practices for children.

In the DPDP Bill 2022, there were several factors mentioned that needed consideration to determine whether a data fiduciary is a significant data fiduciary or not. These factors included: (a) the volume and sensitivity of personal data processed; (b) the risk of harm to the Data principal; (c) the potential impact on the sovereignty and integrity of India; (d) the risk to electoral democracy; (e) the security of the state; (f) the maintenance of public order; and (g) such other factors as deemed necessary. However, in the present bill, the last-mentioned factor has been removed.

Chapter III: Rights and Duties of Data Principle

Section 11(b) of the 2023 bill provides the right to data principle to seek details from a data fiduciary. The 2023 bill requires the disclosure of identities and personal data shared not only with Data Fiduciaries but also with Data Processors, whereas the 2022 bill only mentions sharing with Data Fiduciaries. This expanded provision in the 2023 bill aims to enhance transparency and accountability in data-sharing practices.

However, the new bill provides exceptions where the aforementioned requirements do not apply. These exceptions come into play when a Data Fiduciary shares personal data with another Data Fiduciary authorized by law to obtain such data. This sharing should occur in response to a written request from the other Data Fiduciary to prevent, detect, or investigate offences or cyber incidents, or for prosecuting or punishing offences.

The new bill expands the rights of the data principal, encompassing additional rights such as the right to correction, completion, updating, and erasure of her data for the processing she had previously consented to. In contrast, the previous bill only granted rights to correction and erasure of her data.

Furthermore, Under Section-14(1) of the DPDPB 2022, a Data Principal is granted the right to accessible methods of registering grievances with a Data Fiduciary. In contrast, under Section-13(1) of the DPDPB 2023, the Data Principal is entitled to readily available means of grievance redressal provided by either a Data Fiduciary or a Consent Manager. The timeline of responding to grievances within seven days has been removed.

Chapter IV: Special Provisions

There has been a significant modification regarding cross-border data transfer. In the DPDPB 2022, the Central Government has the authority to notify specific countries or territories outside India to which a Data Fiduciary may transfer personal data, subject to certain terms and conditions. However, in the DPDPB 2023, the Central Government is empowered to issue notifications that restrict the transfer of personal data by a Data Fiduciary for processing to particular countries or territories outside India. Notably, the 2023 bill omits the provisions for specifying the allowed transfers and instead focuses on restricting transfers based on notifications. Also, the new bill recognises sectoral regulation which was not there in DPDPB 2022.

There is also a modification regarding the exemption provision. Under DPDPB 2023, in addition to courts, tribunals, and other judicial bodies, regulators and supervisory authorities are also granted exemptions from certain provisions of the bill, modifying the exemption provision of DPDPB 2022. Furthermore, In DPDPB 2023, Section 17(1)(e) introduces exemptions for data processing necessary for schemes of compromise, arrangement, merger, or amalgamation of companies, as well as reconstruction through demerger or other means. These exemptions are subject to a court, tribunal, or competent authority’s approval per prevailing laws. Notably, such provisions relating to exemptions were not present in DPDPB 2022.

Chapter-V: Data Protection Board of India

This chapter provides for the establishment of a board called the Data Protection Board of India. There has been a significant change that has taken place under this chapter in the latest bill. In DPDPB 2022, the Central Government prescribes the Board’s composition and terms of appointment for the Chairperson and Members, while in DPDPB 2023, specific qualifications are already laid down for members and the Chairperson, along with conditions for holding office and removal.

Also, Read DPDP v. GDPR

Chapter VI: Powers, Functions, and Procedure to be Followed by Board

The DPDP Bill 2023 has significantly enhanced the Data Protection Board’s (DPB) objective of safeguarding people’s privacy in India, granting it more effective authority through Sections 27 and 28. Under the new Bill, the DPB can exercise its powers and functions on receipt of intimation of personal data breach, on a complaint made by a Data Principal in respect of Breach of obligations of Data Fiduciary or Consent Manager, on reference by Central Government or Directions of Court to inquire into a breach, on receipt of an intimation of breach of any condition of registration of a Consent Manager or on a reference made by the Central Government in regards to a breach by an Intermediary when called to furnish information. In these scenarios, the DPB can inquire into the breach and impose penalties and binding directions as it sees fit.

Under the DPDP Bill 2023, the Board is to function as an independent body and upon receipt of an intimation or complaint or reference or direction, it must determine if there are sufficient grounds to proceed with an inquiry. If the Board sees that there are sufficient grounds, the DPB can proceed with inquiry following the principles of Natural Justice.

Additionally, in furtherance of the proceedings, the Bill provides the DPB with the powers of a civil court in respect of summons and enforcing attendance of person for examination, receiving evidence requiring discovery and production of documents, inspection of data, books, or any other documents. Moreover, the DPB also has the authority to enlist the services of police officers. Finally, the DPB has the power to issue a warning or impose costs on complainants for false or frivolous cases.

Through this increased authority, the DPB will be able to actively protect the privacy of Indian citizens. Having the DPB issue orders to data fiduciaries will make them more likely to follow the law. Additionally, the DPB’s power to penalize data fiduciaries will act as a powerful disincentive to violate the law. The DPB’s increased authority is a great step forward for the protection of personal information in India. As a result, they will ensure holding data fiduciaries accountable and protecting personal information.

Chapter VII- Appeal and Alternate Dispute Resolution

Unlike the DPDP Bill 2022, the DPDP Bill 2023, under Chapter 7, significantly modifies the Appeal system. It provides a more streamlined method of Appeals and Alternate Dispute Resolution.

In the 2022 Draft, the Board could review its order through a larger group than the group that held the proceedings and modify the order. Moreover, an appeal against any order would have lied before the High Court. However, the n2023 Bill differs significantly by introducing the Telecom Disputes Settlement and Appellate Tribunal as the Appellate Tribunal. An appeal, can be filed against the order of the DPB within sixty days from receipt of the order. The 2023 Bill provides the Appellate Tribunal with the powers of a Civil Court, and any order passed by the Appellate Tribunal shall be executable by it as a decree of a civil court.

Additionally, in line with the DPDP Bill 2022, the DPDP Bill 2023 delineates a method of Alternate Dispute Resolution if the Board opines that mediation can resolve any complaint. However, the DPDP Bill 2023 differs from the DPDP Bill 2022, wherein the DPDP Bill 2023 does not provide for other Dispute Resolutions processes apart from mediation. 

Finally, the Chapter concludes with the Provisions relating to Voluntary Undertaking similar to the DPDP Bill 2022. There remains no substantial difference between the two bills concerning the voluntary undertaking. Under this, the DPB may accept a voluntary undertaking at any stage of the proceedings, and the acceptance of such undertaking shall constitute a bar on proceedings.

The provisions of the DPDP Bill 2023 have taken a step forward by ensuring a more systematic method of appeals by introducing an Appellate Body and providing the availability of mediation as a method of Dispute Resolution to ensure. These provisions will help ensure speedy resolutions of complaints and put Data Principals at the forefront of the new Bill.

Chapter VIII- Penalties and Adjudication

The Digital Personal Data Protection (DPDP) Bill 2023’s penalties significantly differ from those in the DPDP Bill 2022, bringing several revisions and improvements. The highest penalty for breaking the law was Rs. 500 crore under the DPDP Bill 2022. However, the DPDP Bill 2023 introduces a more sophisticated system of penalties in several parts.

According to Section 33(1) of the DPDP Bill 2023, Data Fiduciaries who violate security precautions face fines of up to Rs. 250 crore. Similarly, under Section 33(2) of the law, violations of commitments to the Data Protection Board or breaches affecting personal data are subject to fines of up to Rs. 200 crore. Section 33(3) of the Data Protection Act levies fines of up to Rs. 200 crore for violating Section 9’s requirements for protecting children’s data. Furthermore, violations of Section 33(4)’s considerable data fiduciary requirements may result in fines of up to Rs. 150 crore. In contrast, the DPDP Bill 2022 mainly concentrated on fines without a precise classification. Additionally, violations in the performance of duties by the data fiduciaries may result in penalties of up to Rs. 10,000 under Section 33(5). The Data Protection Board will impose penalties after conducting in-depth investigations.

Notably, the DPDP Bill 2023’s schedule lists exact penalties for certain offences. For instance, penalties can be as high as Rs. 250 crore for failing to put security measures in place to avoid data breaches and Rs. 200 crore for failing to fulfil requirements pertaining to children’s data.

Read more: How will the DPDP Bill affect businesses’ data collection and processing practices

Chapter IX- Miscellaneous

The DPDP Bill 2023 grants the government broad authority over data protection laws. The government has the power to provide directives to the Data Protection Board, amend laws, and even offer exceptions to businesses that must abide by the standards in question. The statute lists numerous allegations and the corresponding punishments for violations. Additionally, the DPDP Bill 2023 includes a specified three-year transition period that starts on the day it becomes effective. Businesses must strictly follow the rules outlined by the bill during this transitory period because they will become effective during this period. This intentional transition phase shows the bill’s dedication to encouraging gradual adaption while assuring substantial compliance among organisations.

Conclusion

The DPDP Bill, 2023 received modifications that constitute an important advancement in India’s data protection regulations. With its expanded authority, the DPB will be able to protect Indian citizens’ privacy more vigorously. To protect the privacy of individuals, a fresh concept of “explicit consent” for the processing of sensitive personal data could be useful. Cross-border data transfers using a “blacklist” technique can help in preventing transmitting personal details to countries with inadequate privacy laws. In addition, the larger range of penalties for breaking the legislation will act as an effective discouragement against violations of data protection.

Stay updated with Tsaaro about all the latest privacy compliance developments across multiple jurisdictions. Gain a better understanding of laws and regulations and their requirements through us. Take the first step towards a secure your organization’s data by scheduling a call with our privacy expert team at Tsaaro Solutions today. Our insights will help you make informed choices to mitigate your privacy risks. Contact us by email at info@tsaaro.com.