Data protection encompasses laws, rules, and processes that limit the collection, storage, and sharing of personal data to safeguard privacy. Indian Constitution does not explicitly establish privacy as a fundamental right, but through Supreme Court cases, privacy has been linked to existing rights like freedom of speech (Article 19(1)(a)) and right to life (Article 21).
Until August 2023, India lacked specific data protection regulations. Instead, data protection was governed by the Information Technology Act, 2000; Indian Contract Act, 1872; Information Technology Rules for Sensitive Data, 2011; and Intermediaries Guidelines for Digital Ethics, 2021. While these rules outlined security measures for handling such data, they proved inadequate for modern data protection challenges. India required a comprehensive and specialized data protection framework to address these evolving issues.
The efforts to enact a robust framework began with the introduction of the Personal Data Protection Bill, 2018 (“PDP Bill 2018”) and paved the way through the Personal Data Protection Bill, 2019; The Digital Personal Data Protection Bill, 2022 and finally operationalized in 2023 through the Digital Personal Data Protection Bill, 2023 which got ratified as the Digital Personal Data Protection Act, 2023 (“the Act”). This article maps the data protection regime in India from the PDP Bill of 2018 to the Act of 2023.
| PARTICULARS | PERSONAL DATA PROTECTION BILL, 2018 | DIGITAL PERSONAL DATA PROTECTION ACT, 2023 |
|---|---|---|
| Applicability | Applies to:processing of personal data where such data has been collected, disclosed, shared, or otherwise processed within the territory of India; processing of personal data by the State, any Indian company, any Indian citizen or any person or body of persons incorporated or created under Indian law;processing of personal data by data fiduciaries or data processors not present within the territory of India, only if such processing is in connection with any business carried on in India, or any systematic activity of offering goods or services to data principals within the territory of India or in connection with any activity which involves profiling of data principals within the territory of India. | Applies to: digital personal data and data collected offline and later digitized.processing of personal data outside India if it is for offering goods or services to Data Principals within the territory of India. Does not:personal data processed by an individual for any personal or domestic purpose.personal data that is made or caused to be made publicly available by (a) the Data Principal to whom such personal data relates; (b) any other person who is under an obligation under any law for the time being in force in India to make such personal data publicly available. |
| Categorization of Data | A comprehensive reading of the Bill highlights three categories of data, i.e., personal data, sensitive personal data, and critical personal data. | A comprehensive reading of the Act indicates that there is no categorization of data into sensitive personal data and critical personal data. |
| Categorization of Data Fiduciaries | Section 38 of the Bill, clearly classified certain data fiduciaries as significant data fiduciaries. | Section 10 of the Act classifies certain data fiduciaries as significant data fiduciaries. |
| Consent and Notice | Section 8 and 12 of the Bill provide for consent and notice for such consent are required before processing the personal data.The notice must include all the specifications mentioned in Section 8 of the Bill, which includes, but is not limited to – (i) the purposes for which the personal data is to be processed; (ii) the categories of personal data being collected; (iii) the details of the data protection officer; (iv) the right of the data principal to withdraw such consent; (v) the procedure for such withdrawal, etc.Section 8(2) provides for translation of notice into “multiple language”, however, does not mandate it and neither does it specify the languages. | Section 5 and 6 of the Act specifies that consent and notice for such consent are required before processing the personal data.Notice must include – (i) a description of personal data to be processed and the purposes of processing; (ii) the manner in which a data principal is to withdraw such consent and right to grievance redressal under Section 13; and (iii) the manner and right to make complaints to the Board.Section 5(3) mandates the requirement to translate such notice into local Indian languages, as specified under the Eighth Schedule to the Indian Constitution. |
| Deemed Consent | Does not provide for the concept of “deemed consent” | Introduced the concept of deemed consent under the head of “certain legitimate uses” in Section 7.Data Principal is ‘deemed’ to have given consent for processing where the data principal voluntarily provides personal data to the data fiduciary.The Act provides a list wherein data principals will be deemed to have given consent for processing personal data. Such legitimate uses include but is not limited to: (a) when the Data Principal voluntarily provides personal data to a Data Fiduciary; (b) when such personal data is provided for the State and any of its instrumentalities to provide or issue subsidy, benefit, service, certificate, licence or permit as may be prescribed; (c) performance by the State or any of its instrumentalities of any function under any law for the time being in force in India or in the interest of sovereignty and integrity of India or security of the State; (d) for compliance with any judgment or decree or order issued under any law for the time being in force in India, or any judgment or order relating to claims of a contractual or civil nature under any law for the time being in force outside India; (e) for responding to a medical emergency involving a threat to the life or immediate threat to the health of the Data Principal or any other individual; (f) for taking measures to provide medical treatment or health services to any individual during an epidemic, outbreak of disease, or any other threat to public health; (g) for taking measures to ensure safety of, or provide assistance or services to, any individual during any disaster, or any breakdown of public order. |
| Limitation on Data Collection/ Data Minimization | Section 6 and Section 10, limits the collection and storage of personal data to such data that is necessary for the purposes of processing. | Data collection limit of data fiduciaries is not prescribed in the Act. Data fiduciary could collect any personal data, whether or not it is essential for the services they are providing, however, Section 6 mentions that processing of such personal data should be limited to wherever necessary for the specified purpose. |
| Data Portability | Right of data portability included under Section 26 of the Bill. | A comprehensive reading of the Act indicates that the Act does not provide a right of data portability to data principals. |
| Exemptions for Data Fiduciaries to Compliance of Obligations in the Bill | The exemptions under Chapter IX are as follows – For national security (pursuant to a law);Prevention, detection, investigation and prosecution of contraventions to a law;Legal proceedings;Research, archiving or statistical purposes;Personal or domestic purposes; Journalistic purposes; andManual processing by small entities. | According to Section 17(3), the government has a power to notify data fiduciaries to whom compliance with the principals in the Bill, will not apply.Section 17 of the Act provides a revised list of exemptions wherein data fiduciaries can waive off the compliance of obligations in the Bill. |
| Protection of Children’s Data | Age of consent is 18 years. Users below 18 years required consent from guardians. | Age of consent is 18 years. Users below 18 years require consent from guardians. |
| Reporting of Personal Data Breaches | As per Section 32, the data fiduciary shall notify the Data Protection Authority (“DPA”) of any personal data breach relating to any personal data processed by the data fiduciary where such breach is likely to cause harm to any data principal. | Section 8(6) obligates both the data fiduciaries and the data processors (as the case may be) to report personal data breaches to the Board and the affected data principal. |
| Adjudicating Authority | Section 49 proposed to establish DPA to hear and decide complaints from data principals about violations of the law.The Bill was unclear regarding the power of the Board to initiate suo moto proceedings. | Section 18 proposes to establish Data Protection Board of India (“Board”).The Act is unclear regarding the power of the Board to initiate suo moto proceedings. |
| Cross-border Data Transfer | Section 41 provides that data may be transferred outside India, if consent is provided, to certain permitted countries or under contracts approved by the Authority.Every fiduciary to store at least one serving copy of personal data in India.Critical data can be processed only in India. | Section 16 mentions that the Central Government may, by notification, restrict the transfer of personal data by a Data Fiduciary for processing to such country or territory outside India as may be so notified. |
| Appointing a “Nominee”/ Right to Nominate | Does not provide for right to nominate. | Enables data principals to nominate any individual, who will, in the event of his death or incapacity, exercise his rights in respect of the personal data under Section 14 of the Act. |
| Voluntary Undertaking | Does not have a provision for voluntary undertaking from parties under investigation. | Voluntary undertaking from parties under investigation is allowed under Section 32 of the Act. |
| Penalties | Section 69 provided highest penalty of up to INR 5 crore or 2% of its total worldwide turnover.The Bill includes Chapter XIII which categorized certain acts as “offences” and provided for Imprisonment up to five years for certain offences. | Penalties in Chapter VIII ranges from INR 50 crores to INR 250 crores. There is no provision for imprisonment in the Act and does not categorize acts as “offences”.Places certain duties on data principals, non-compliance to which could lead to penalties upto INR 10,000 as provided under the Schedule. |
| Compensation to Data Principals | Section 75 provides for data principals to seek compensation from data fiduciaries for unlawful processing. | A comprehensive reading of the Act indicates that it does not provide for data principals to seek compensation from data fiduciaries for unlawful processing. |
– Sanskruti Sable,
Associate, Solomon & Co.
About Solomon & Co.
Solomon & Co., (Advocates & Solicitors) was founded in 1909 and is amongst India’s oldest law-firms. The Firm is a full-service firm that provides legal service to Indian and international companies and high net-worth individuals on all aspects of Indian law.
“Disclaimer”
The information contained on this article is intended solely to provide general guidance on matters of interest for the personal use of the reader, who accepts full responsibility for its use. The application and impact of laws can vary widely based on the specific facts involved. As such, it should not be used as a substitute for consultation with a competent adviser. Before making any decision or taking any action, the reader should always consult a professional adviser relating to the relevant article posting.
