Digital Personal Data Protection Bill passed in Rajya Sabha

The Digital Personal Data Protection (DPDP) bill was passed unanimously in the Rajya Sabha on Wednesday.

Addressing the House, Union minister for electronics and information technology Ashwini Vaishnaw said, “Under this bill, individuals using digital services have been given more power and more obligations have been imposed on companies using data of individuals. There has been a lot of consultation on the bill and then it has been presented before the House."

Vaishnaw further added, "Further, four rights have have been given to the country's citizens - Right to access information, Right to correction of personal data and right to eraser, Right to grievance redressal, Right to nominate in case of death.”


The bill will now be sent to the president Droupadi Murmu for assent following which it will become a law.

The Lok Sabha passed the bill on Monday by a voice vote amid some slogan-shouting by Opposition members seeking a debate on the Manipur issue.

It was presented for passing and consideration by Vaishnaw, who said that the DPDP Bill would safeguard the digital personal data of 1.4 billion citizens.

The opposition had expressed several concerns over the legislation and had demanded that the bill be sent to a parliamentary panel for further deliberations. They alleged that the bill violated citizens’ Right to Privacy. Here are some key insights into the bill.

Key highlights of the bill:

• Companies and businesses (data fiduciaries) cannot process any user's personal data without his or her explicit consent.

• Companies that process such personal data must give exact details of the purpose for which the data is collected and delete it as and when this consent is withdrawn.

• The consent architecture provided in the bill is similar to other digital privacy provisions across the world.

• The bill has also moved to a ‘blacklisting’ approach for cross-border transfer and processing of personal data, meaning that the government would specify certain geographies where data cannot be processed.

• This approach is in contrast with the approach taken by other major data jurisdictions such as the European Union, where the approach is to identify and whitelist jurisdictions that follow and implement adequate legal standards for processing data within their geographies.

• The bill suggests a penalty of up to Rs 250 crore per instance of data breach and a maximum penalty of Rs 500 crore for all such breaches.

• However, it does away with criminal penalties, including jail terms, envisioned under the older versions.

• The government has proposed to set up a data protection board (DPB) headed by a chairperson.

• The DPB can impose penalties, summon data fiduciaries, inspect the books and accounts or statements and even suggest to the government to block internet intermediaries from Indian internet in cases of repeated and severe violations.