Data Protection Bill 2023 Update – Govt. Brings New Law to Secure Digital Data

Written By Sambita Panigrahy  
Anuraag Singh
Approved By Anuraag Singh 
Published On August 24th, 2023
Reading Time 6 Minutes Reading

The Story So Far: The government of India has withdrawn the bill passed to protect personal data in 2019 to introduce a new comprehensive legal framework, in 2023. The new Data Protection Bill update will focus on regulating online space including separate legislation on data privacy, the overall internet ecosystem, cybersecurity, telecom regulations, and harnessing non-personal data for boosting innovation in the country. Also, companies handling consumers’ personal data that fail to take reasonable safeguards to prevent data breaches could end up facing penalties as high as around Rs 200 crore under the revamped version of the bill.

Highlights of The New Bill

The following are the updates of the new Digital Personal Data Protection Act India.

  • The Bill is applicable to digital personal data processed in India, whether obtained online or offline and converted to digital form. It also applies to processing done outside of India for supplying products or services in India.
  • Personal data can only be handled with consent and for legitimate purposes. However, certain legal purposes may not require consent, such as processing applications or voluntary data sharing.
  • Data custodians will be required to keep data accurate, safe, and deleted after its purpose has been served.
  • The Data Protection Bill update provides individuals with a number of rights, including the ability to request information, seek correction and erasure, and file a grievance.
  • The central government may exclude its agencies from the Bill’s restrictions for specific reasons, such as state security, public order, and the prevention of crimes, etc.
  • The Data Protection Board of India will be established by the national government to decide cases of non-compliance with the Bill’s requirements.

What Does India Data Protection Law 2023 Say?

The Personal Data Protection Act is legislation made to regulate how various companies and organizations use individuals’ data inside India. The main aim of the bill is to provide digital privacy protection to individuals relating to their personal data, specify the flow and usage of data, and create a relationship of trust between individuals & companies handling their data.

The Data Protection Bill India holds the terms “Data Principals” and “Data Fiduciary”. Data Principals refer to the individuals whose data is being collected whereas a Data Fiduciary can be an individual or entity that decides the purpose and means of the processing of an individual’s personal data.

According to The Hindu, this is not the first draft of the bill.

Data Protection Bill

Past Records Of Data Protection Bill

Previously, before the data protection bill update, Justice Srikrishna Committee set up by the Ministry of Electronics and Information Technology proposed the first draft of the Personal Data Protection Bill in 2018. Then, in 2019, the government made revisions to the existing draft and introduced it as PDP Bill, 2019 in Lok Sabha.

Then, the unfortunate event of the Covid-19 breakdown delayed the report submission process. So, the joint committee on the PDP Bill, 2019, submitted the reports after two years in December 2021.

Now, in August 2023, the government has withdrawn the previous data protection bill to bring refreshed regulation. The India Data Protection Law 2023 is the fourth iteration of the law.

But, Why Have So Many Revisions and Changes Been Made to The Bill?

Constant interactions with digital devices generate unprecedented amounts of data around the clock by users. However, this data when coupled with the computational power available can be processed in ways that increasingly harm the autonomy and privacy of the data.

The right to information privacy has been upheld as a fundamental right by the Supreme Court. And, the current legal framework for IT rules, 2021 is found to be inadequate to combat the data security threats. 

The data protection bill update has been brought by Govt. due to various inadequacies noticed in the existing law.

It is inadequate on four levels.

  1. The existing framework on privacy is based on statutory rights rather than fundamental rights. 
  2. It has a limited understanding of what kind of data it can protect.
  3. It imposes minimal duties on data fiduciaries(entities that deal with customers’ personal data), which can sometimes be waived by contract.
  4. There are only minimal consequences for the data fiduciaries in case of a data breach.

The amendment in the bill is enforced to impose significant penalties on businesses that undergo data breaches or fail to notify users when breaches happen.

Different Penalties Included In The Data Protection Bill Update

Previously, if a company violated the law, the penalty proposed was  Rs 15 crore or 4 percent of its annual turnover, whichever is higher. However, the fine included in the new bill is significantly high. And, the penalties vary on the basis of the nature of the violation by the data fiduciaries.

According to India Data Protection Law 2023, companies, banks, and even the government’s data handling agencies that fail to provide details about what information they are collecting of citizens, how they are storing it, and sharing it would bear a maximum penalty of Rs 250 crore and a minimum of Rs 50 crore. In addition to that those who fail to protect children’s personal data could be fined nearly Rs 100 crore.

Thus, it’s high time that business stakeholders should seriously consider implementing security measures and having a SOC or Security Operation Center in place to combat data theft. Moreover, to save themselves from paying a huge penalty.

Protect Data With SOC

Why Is It Important to Have A Security Operation Center?

The way new security incidents are emerging, it’s hard to predict which companies could fall victim to a data breach. 

Unfortunately, if your organization came under a cyberattack, it could impact the business differently. 

  • First of all, you could lose a large customer base due to a lack of trust in your company’s security.
  • Secondly, it could ruin your brand value and reputation which would directly impact revenue generation.
  • Last but not least, let’s not forget as per the data protection bill update, there is a huge penalty you have to pay for not being able to safeguard your customers’ personal data.

So, regardless of business size, it’s better to deploy security measures before it’s too late.

Besides, as per the new Data Protection Law, the entities that deal with a huge volume of users’ personal data have to appoint independent Data Auditors who shall evaluate their compliance with the act. Thus, to improve and maintain security measures in your IT infrastructure it’s recommended to hire professionals such as SysTools since it has years of experience in providing Managed Cyber Security Services along with CMMC Consulting audit services.