The Digital Personal

Data Protection Bill,

2023 (‘2023 Bill’):
Brief analysis
• FAQs
• Comparison with GDPR
• Salient Features
FAQs

1. What kind of Data is protected?

Any online, digital or digitized data about an individual, which can be used to identify
them in real life, and which is processed in India or processed outside India for any
offerings in India.

2. What kind of Data is not protected?

The 2023 Bill excludes personal data which (a) is not collected digitally or
subsequently digitized, which is processed and used outside India; (b) is made
publicly available by the individual or for legal purposes; and (c) processed by an
individual for any personal or domestic purpose

3. Who is a Data Fiduciary and a Data Processor?

“Data Fiduciaries” determine the purpose and mean of processing personal data (for
example, an e-commerce platform), while a “Data Processors” process the
personal data on behalf of the Data Fiduciary (for example, a marketing firm hired
by an e-commerce platform).

4. What is the concept of consent, who is responsible for procuring consent

and how can this be done?

Consent should be procured from individuals by data fiduciaries, and should be

informed (with clarity on the purpose and manner of processing), specific (with
respect to the relevant purpose only), and affirmative (should be through an
acceptance rather than a right to opt-out).
FAQs

5. What are the legitimate uses for which a Data Fiduciary can process
personal data?

• The specific purpose for which the individual provided the data voluntarily.
• Offering benefits or services or subsidy or license by the government &
instrumentalities.
• Carrying out state functions under prevailing Indian laws, for safeguarding the
sovereignty, integrity, and security of the State.
• Fulfilling legal obligations to disclose to any state or instrumentalities.
• Complying with court orders or decrees or judgment.
• Addressing medical emergencies.
• for providing medical treatment or health services during epidemic or threat to
public health
• for ensuring safety during disasters
GDPR (EU) vs. DPDP Bill (India)

Parameters 2023 Bill GDPR

Application Covers digital/digitized personal Personal data of persons

and Scope data (a) processed in India; or residing in Europe, not limited
(b) processed outside India for to “digital” personal data.
offerings in India.

Collection of The data fiduciary is required to Similar to the 2023 Bill, GDPR
Consent collect free, specific, informed, requires data controllers/
and affirmative consent for fiduciaries to procure free,
processing of personal data - specific, informed, and
and should provide a right to affirmative consent for
withdraw such consent. processing.

Withdrawal of The 2023 Bill provides The GDPR provides individuals

consent & right individuals the right to (a) the right to (a) withdraw
of erasure withdraw consent for processing consent for processing of all
(except processing of data data, including data already
collected prior to such collected prior to the
withdrawal; and (b) erase or withdrawal, and (b) erase or
modify personal data. modify personal data.

Children’s Consent of lawful guardians Consent of lawful guardians

consent must be procured for individuals must be procured for
below the age of 18 years. individuals below the age of 16
years.

Encryption Data fiduciaries have a general Obligation on both controllers

obligation to ensure reasonable and processors, to ensure
security safeguards to prevent pseudonymization and
data breach. encryption of personal data, as
well as implement “appropriate
technical and organizational
measures to secure personal
data”.
Salient Features

Terms Description

Extra-territorial Personal Data processed outside of India covered under 2023

applicability Bill for goods or services offered in India.

Data Protection Board of India (DPBI) for all complaints and

Adjudication disputes.
Appeals from orders of DPBI will lie with Telecom Disputes
Settlement and Appellate Tribunal.

Exemption to Startup Data Fiduciaries can be exempted by Central

Start-ups Government from certain provisions regarding compliance.

Data Fiduciaries processing personal data are accountable for

Accountability
their compliance and defaults.

Non-compliance by data fiduciaries and processors or for

Penalties breach of data and privacy, decriminalised could attract fines
of up to ₹250 crores (US$30 million approx.).

Cross-border Government can restrict cross-border data transfers to

data transfers countries notified by it.
Contact us

support@treelife.in

+91 98202 22758 / +91 022 6852 5768

www.treelife.in

Mumbai HQ:
914/15/16 Pinnacle Corporate Park,
Near Trade Centre, Bandra Kurla Complex,
Mumbai 400 051

Delhi Office:
E1/3 FF, Jhandewalan Extension,
Nr. Jhandewalan Metro Station,
New Delhi 110 055

Bengaluru Office:
Follow us on:
1st floor, Mahalakshmi Chambers,
MG Road, Trinity Metro Station,
Bengaluru 560 001

Disclaimer: The content of this document is for information purpose only and does not constitute
advice or a legal opinion. It is based upon relevant law and/or facts available at that point of time
and prepared with due accuracy & reliability. Readers are requested to check and refer to
relevant provisions of statute, latest judicial pronouncements, circulars, clarifications etc. before
acting on the basis of this write up. The possibility of other views on the subject matter cannot be
ruled out. By the use of the said information, you agree that the Treelife is not responsible or
liable in any manner for the authenticity, accuracy, completeness, errors or any kind of omissions
in this piece of information for any action taken thereof.