Print Friendly, PDF & Email

Sansad TV: Bills and Acts- Digital Personal Data Protection Act, 2023





In August 2023 resident Draupadi Murmu gave her assent to Digital Personal Data Protection Bill, 2023.The Bill provides for the processing of digital personal data in a manner that recognizes both the rights of the individuals to protect their personal data and the need to process such personal data for lawful purposes.

Need for Data Protection in India

India has around 40 cr internet users and 25cr social media users who spend significant time online. The average cost for data breach in India has gone up to Rs. 11.9 crore, an increase of 7.9% from 2017. Moreover, in the KS Puttaswamy case, the Supreme Court has declared Data Privacy as a fundamental right under Article 21. Hence it becomes all the more significant to ensure data protection. The reasons are as follows :-

  • Data Export: Most of the data storage companies are based abroad. Especially the e-commerce companies that have exabytes of data on Indians. They also export data to other jurisdiction making it difficult to apply Indian laws.
  • Data Localization: Enforcing data localization has faced backlash from many private entities and their home governments. There hundreds of private players are involved in data dynamics which makes it difficult to apply uniform data protection framework.
  • User Consent: Generally, the application using pre-ticked boxes on consent while asking users regarding the acceptance to the terms and conditions.
  • Privacy Breach:  It is usually difficult to trace the perpetrator invading the data privacy.
  • Privacy laws: Currently, the usage and transfer of personal data of citizens is regulated by the Information Technology (IT) Rules, 2011, under the IT Act, 2000. However, this are applicable only to private entities and not on government agency.
  • Data ownership: As per TRAI guidelines, individuals own the data, while the collectors and data processors are mere custodians of data who are subject to regulations.

India’s Data Protection Bill– Key recommendations:

  • Remove the word ‘personal’ from the existing title of ‘Personal Data Protection Bill’. This is intended to reflect that the bill, in order to better ensure privacy, will also be dealing with non-personal data, such as personal data that has been anonymised.
  • Amend the section restricting the transfer of personal data outside India to say “sensitive personal data shall not be shared with any foreign government or agency unless such sharing is approved by the central government.
  • No social media platform be allowed to operate in India unless its parent company, which controls the technology powering its services, sets up an office in the country.
  • It proposes a separate regulatory body to be set up to regulate the media.
  • Jail term of up to 3 years, fine of Rs 2 lakh or both if de-identified data is re-identified by any person.
  • The word ‘personal’ ought to be dropped from the name of the Bill.
  • Central government may exempt any government agency from the legislation only under exceptional circumstances.


  • Major players in India’s digital economy are not only based abroad, but also export data to other jurisdictions.
  • Potential drain of economic wealth of a nation. Financial rewards of big data are enjoyed by MNCs located in USA.
  • Infrastructure in India for efficient data collection and management is lacking

Way Forward:

  • Data minimisation and accountability of those who process and control data.
  • Personal data in the public interest should be protected and used only for the purposes it was collected.
  • Adequate infrastructure in terms of energy, real estate, and internet connectivity also needs to be made available for India to become a global hub for data centres.
  • Start-ups can develop technology that enables users to control who gets access to the data about their behaviour patterns in the digital world.
  • Data needs to be shared with start-ups so that they can have a level playing field in offering innovative services with large and often global data companies.
  • Encouraging formation of native internet giants like how china has done.
  • Current data protection rules under the Information Technology Act urgently need an update and should reflect modern trends.
  • Data protection is essential to balance the growth of the digital economy and use of data as a means of communication between persons with a statutory regime that will protect the autonomy of individuals from encroachments by the state and private entities.
  • India must adopt stringent law in the same lines as GDPR (General Data Protection Regime) enacted by the European Union.