Indian Parliament passes Digital Personal Data Protection Bill 2023
The Digital Personal Data Protection Bill 2023 is India’s data protection law that was introduced into Parliament on August 3rd. India’s Lower House Lok Sabha passed the law on August 7th, followed by the Upper House Rayja Sabha on August 9th, 2023. The last step is now the signing by the Indian President Droupadi Murmu.
The Digital Personal Data Protection Bill 2023 aims to “to provide for the processing of digital personal data in a manner that recognises both the right of individuals to protect their personal data and the need to process process such personal data for lawful purposes.” .
The bill applies to the processing of personal data in India and it will also apply to personal data outside of the country if it’s for business entities offering goods or services. To understand exactly what personal data is, you can read the official definition in the draft (Digital Personal Data Protection Bill 2023) . For your convenience, here is a brief description straight from the draft law (original in English, translated into German):
“Personal data is defined as ‘any data about an individual who is identifiable by or in relation to such data’. Moreover, ‘processing has been defined as wholly or partially automated operation or set of operations performed on digital personal data,“ Likewise, “processing” is defined as a fully or partially automated operation or set of operations performed on digital personal data.
Key elements of the Digital Personal Data Protection Act 2023:
- Consent : A consent notice is required to obtain the consent of the data subject in order for the processing of personal data to be lawful. The consent should contain information about the purpose of the processing of personal data and the details about which personal data are to be collected.
- Principles: The draft law is based on the following principles, which ensure the lawful handling of personal data:
- The principle of consent, lawfulness and transparency in the use of personal data;
- The principle of purpose limitation (use of personal data only for the purpose stated at the time the consent of the data owner was obtained);
- The principle of data minimization (collecting only as much personal data as is necessary for the stated purpose);
- The principle of data accuracy (ensuring that data is correct and up-to-date);
- The principle of storage limitation (storing data only for as long as it is needed for the stated purpose);
- The principle of reasonable security precautions; and
- The principle of accountability (by condemning data breaches and breaches of the provisions of the law and imposing penalties for the breaches).
- More rights for individuals: The bill also strengthens (but is not limited to) the following rights for individuals:
- The right to information about the processing of personal data;
- The right to rectification and deletion of your own data;
- The right to appoint someone to take care of your rights in the event of your death or incapacity.
- Children’s rights: The draft law prohibits the processing of data that affects the well-being of children or involves the tracking/monitoring of their behavior or targeted advertising
- According to the draft law, the processing of children’s personal data by the controller is only permitted with the consent of the parents.
What you can do to comply with the Digital Data Protection Bill 2023
Be alert to any changes or updates to data protection laws and regulations, as the law is in its final stages and not yet fully enacted. In the meantime, you can begin to familiarize yourself with the Digital Personal Data Protection Bill and put security in place for your business. In particular, if your company uses active cookies, you can start by implementing a cookie notice.
To check which cookies are active on your website, simply enter your website’s URL into our cookie checker here.