In a historic event on August 9th, Wednesday,  the Parliament has given a green flag to the Digital Personal Data Protection Bill (DPDP). Lok Sabha approved the same bill on Monday. The bill was first introduced in 2019 but was withdrawn after 81 amendments were made to it by the Parliament.

What is Digital Personal Data Protection Bill (DPDP)?

DPDP is a bill that intends to control the misuse of an individual's data by online platforms. It aims to become the first law in the country with provisions to protect personal data. Ashwini Vaishnaw, Minister of Communications and Information Technology, shared that the bill is impartial to any particular technology or platform. This has been done so that the ever-evolving data concepts can also be a part of it without needing any alterations.

He further shared that the government has started working on implementing the bill, and a roll-out is expected soon. However, fiduciaries will be consulted before the roll-out.

The minister said that every step will be taken with proper checks, balance, and verification as this will change the entire digital economy. 

Some members of the upper house showcased their concerns regarding privacy, compensation, reputational loss, and the need to have data protection boards in each state. 

Addressing the same, the minister stated that many things will undergo evolution as the data protection board gives its rulings. This bill is made primarily on principles and is flexible to support the evolution of the sectors. 

On being asked about medical user data protection, the minister said the bill will not override any law that provides for a higher degree of protection of personal data by an entity.

Legal experts believe India is a rising global digital economy, and this law is a critical tool to help protect the user's data.

How much penalty does DPDP attract if not followed?

It is important to take the bill seriously as it attracts heavy penalties of up to ₹250 crore per instance in the case of a data breach. This penalty will depend on the number of occurrences and can be multiplied by the number of occurrences.

The bill mentions that the Centre holds the power to decide which companies will be deemed as significant data fiduciaries based on certain factors like the security of the State and more.

According to the bill, there are reasonable obligations on data fiduciaries, as they must ensure responsible handling of digital personal data. It is mandatory to have a local office and a data protection officer (DPO) as per the bill. 

In case of any violations, the government holds the power to block a company or impose financial penalties. If the violation of the rules didn’t stop after two instances, the government can ban or block the platform of any fiduciary.

In case of a data breach between a fiduciary and a data principal, the liability will lie with the fiduciary.

This bill also has the provision of a negative list that contains the cross-border transfer of personal data, as per which the Indian government can regulate and limit the transfer of personal data across borders based on criteria specified by them.