The Digital Personal Data Protection Bill, 2023, which outlines procedures on how businesses and the government itself can collect and use information and personal data of Indian citizens, was introduced by the Centre in Parliament on Thursday (August 3), following nearly five years of negotiations involving the government, technology companies, and representatives of civil society.
The legislation has gone through several changes over the past five years; initially, it was a draught law that embraced the more general principles of Europe’s privacy rules, which provide people more control over how their online data is used.
To appease businesses and encourage competition, somewhat along the lines of US law, there was a midway infusion of clauses that softened some plans.
Rajeev Chandrasekhar, the minister of state for electronics and information technology, stated that the measure will safeguard the rights of all citizens.
He tweeted “DPDPBill introduced in #Parliament is a very significant milestone in PM @narendramodi ji’s vision of Global Standard Cyber Laws for India’s $1T #DigitalEconomy and #IndiaTechade. @GoI_MeitY has developed this bill after extensive consultations which I led – with all stakeholders including #DigitalNagriks.”
It is founded on six data economy principles, the first of which discusses the gathering and use of personal information on Indian individuals. Personal data must be legally collected, used, and protected from misuse while maintaining transparency. The second principle discusses the need for data collection activities to have a legal purpose and the need for safe data storage while the purpose is being carried out.
The following rule discusses data minimization, which states that only pertinent information about people should be gathered, and that the only goal should be to serve the pre-defined purpose.
The fifth principle addresses data accuracy, whereas the fourth deals with data protection and accountability. The last principle outlines the procedures for disclosing a data breach. A data breach should be disclosed to the relevant Data Protection Boards in a fair, transparent, and equitable way.
