Mumbai: The government on 3 August has introduced the Digital Personal Data Protection Bill 2023, in the Lok Sabha, outlining the lawful collection, processing and protection of private data. An independent body, the Data Protection Board, will be established to examine personal data breaches and impose penalties. It also prescribed penalties up to Rs 250 crore for data breaches.

According to the proposed law, digital platforms must obtain explicit and informed consent from users to process their data. Users will have the right to withdraw this consent at any time, after which platforms must cease data processing and erase the relevant data. The Bill also permits the transfer of personal data to any country, except those the government may blacklist in the future.

The Bill, a product of over four years of work, numerous deliberations, and multiple revisions, presents a distinct framework compared to earlier draft legislation on the subject.

In a relief for the industry, the Bill allows cross-border data transfers, introduces voluntary undertaking of data breaches, and removes criminal penalties prescribed in the 2019 draft.

The Bill excludes anonymised, non-personal, and offline personal data, and does not categorise data as sensitive or critical. To reduce litigation, the Bill includes provisions for alternative dispute resolution (ADR). If enacted, the law will become a key component of India's rapidly expanding digital economy.

Disputes with the board’s decisions can be taken to the Telecom Disputes Settlement and Appellate Tribunal (TDSAT). The Bill outlines the broad principles of data protection, with the specifics of legal requirements to be clarified when the government defines the rules following the Bill's enactment.