India: Passed India Digital Personal Data Protection Bill 2023 including data protection regulation

On 7 August 2023, the Digital Personal Data Protection Bill 2023 was passed by the Lok Sabha (Parliament’s lower house). The proposed Bill outlines the rights and duties of data principals, defined as individuals whose personal data is being treated, as well as the obligations of data fiduciaries, defined as the person that determines the purpose and means of processing personal data. The Bill allows for the processing of personal data based exclusively on consent or legitimate uses. To this end, notification procedures are detailed in order for principals to give full and informed consent to the treatment of their data, including consent withdrawal. Data principals’ rights include the right to access, correction and erasure of their personal data. Data fiduciaries are responsible for compliance on behalf of any third-party data processors they may employ. Exceptions to the above are provided in cases such as data processing for law enforcement purposes. The Bill would also require data fiduciaries to verify the consent of legal guardians in case of treatment of the personal data of minors. In addition, data of minors must not be processed in any way which is likely to cause detrimental effects on their well-being, or that allows for tracking or behavioural monitoring aimed at enabling targeted advertising. The Bill will now be discussed in the Parliament’s upper house (Rajya Sabha).