Navigating the Digital Age: Exploring India’s Digital Personal Data Protection Bill, 2023

India's Digital Personal Data Protection Bill

In the age of digital transformation, where personal data fuels countless online services and interactions, the need for robust data protection laws has never been more urgent. India, recognizing this necessity, has introduced the Digital Personal Data Protection Bill, 2023, a comprehensive framework aimed at safeguarding the privacy and rights of its citizens in the digital realm. 

In this blog post, we delve into the highlights of the bill and address some key issues and analyses surrounding its provisions.

PART A: Highlights of the Bill

Context and Scope

The bill addresses the processing of digital personal data within India, both online and offline but digitized, and extends its jurisdiction to data processing conducted outside India if it pertains to offering goods or services within the country. It’s a significant step considering India’s increasing digital footprint and its implications for data protection.

Consent and Purpose Limitation

One of the bill’s cornerstones is the requirement for obtaining lawful consent from individuals before processing their personal data. While this ensures transparency and user autonomy, the bill also recognizes certain legitimate uses where consent might not be necessary, such as voluntary data sharing or processing by the State for permits, licenses, benefits, and services.

Data Fiduciaries’ Responsibilities

Data fiduciaries, entities that process personal data, are bound by stringent responsibilities under the bill. They must ensure data accuracy, security, and deletion once its purpose is fulfilled. This commitment aligns with global data protection standards and ensures a higher level of data security.

Individuals’ Rights and Data Protection Board

The bill empowers individuals with essential rights, including the right to access information, seek correction, erasure, and grievance redressal. To monitor compliance, a Data Protection Board of India will be established. This board will play a pivotal role in enforcing the bill’s provisions and addressing non-compliance issues.

PART B: Key Issues and Analysis

Balancing National Security and Privacy

The bill’s exemptions for data processing by the State on national security grounds raise concerns about unchecked data collection, processing, and retention. Striking a balance between safeguarding national security and respecting citizens’ privacy remains a challenge, and this balance must be clearly defined.

Addressing Harms from Data Processing

A notable gap in the bill lies in its lack of regulation concerning harms arising from data processing. As data breaches, identity theft, and other detrimental consequences become more prevalent, it’s crucial to have provisions addressing such issues and holding data fiduciaries accountable.

Cross-Border Data Transfers

The bill’s mechanism for allowing personal data transfer outside India may not ensure adequate evaluation of data protection standards in recipient countries. To uphold the privacy of Indian citizens, stronger safeguards for cross-border transfers might be needed.

Data Protection Board Independence

The appointment term for members of the Data Protection Board could impact its independence. Longer terms with limited re-appointments might better ensure unbiased decision-making and enhance the board’s autonomy.

Children’s Data Protection

While the bill introduces additional obligations for processing children’s data, its definition of a child as someone below 18 years diverges from global norms. Balancing the rights of children and safeguarding their well-being while respecting their autonomy is a complex task.

Evolution of Data Protection Laws: A Comparative Analysis from 2018 to 2023

There are different versions of the Data Protection Law, spanning from the Draft Personal Data Protection Bill of 2018 to the Digital Personal Data Protection Bill of 2023. The scope of these drafts has evolved, with the 2023 Bill expanding coverage to anonymized and non-personal data processing while excluding offline and non-automated processing. 

In terms of data breach reporting, the 2023 Bill requires immediate notification for all breaches, unlike the 2018 Bill which focused on potentially harmful breaches. Exemptions from bill provisions have seen shifts in government authority. The 2023 Bill introduces the right to compensation for harm and removes the 2018 Bill’s classification of sensitive and critical personal data. 

Regulatory bodies have also changed, with the 2023 Bill introducing the Data Protection Board of India and designating TDSAT as the Appellate Tribunal. Lastly, data transfer regulations have evolved, highlighting the importance of data localization and consent in the 2023 Bill.

What Does This Bill Mean to Background Verification Service Providers?

Since BGV service providers collect candidates’/employees/partners’ personal data and digitise it for the purpose of verification, this bill serves as a guide for things To Do and Not To Do with the personal data collected and processed for the purpose of background checks.

Adapting to the bill’s provisions will not only enhance their operational integrity but also reinforce their commitment to securing individuals’ personal data in the digital age.

SpringVerify’s Take On This Bill

This Bill majorly involves transparency in policies, and making data accessible to candidates. Some companies never disclose confidential information about verification results to the candidate. Upon the passing of this bill, candidates have the right to access background verification results/reports if they wish to and also be informed of any discrepancies. 

Earlier companies owned the verification results/report data inaccessible to the candidate, however, as per this bill the candidate owns all their data that is collected and processed. They also have the right to portability, erasure and correction as stated earlier. 

Candidates also never had an idea of what rights they had in terms of data protection earlier but with this bill, companies will be obligated to be transparent about the rights that candidates have while getting their consent.

SpringVerify recognizes that our customers place their trust in us by entrusting us with their information. As a result, Information Security and Data Privacy have always been at the core of our business values. Our unwavering dedication is to protect the personal and confidential data related to our business, clients, and third parties, shielding it against potential internal or external security risks and cyber threats.


The Digital Personal Data Protection Bill, 2023, reflects India’s commitment to adapting its legal framework to the digital age. By addressing consent, data fiduciary responsibilities, individual rights, and oversight mechanisms, the bill takes steps toward enhancing data privacy. 

However, it’s imperative to address key issues such as national security exemptions, harm prevention, and cross-border data transfer standards to create a comprehensive and effective data protection regime. 

As India navigates this dynamic landscape, striking a balance between technological innovation and individual rights remains a paramount challenge.

Previous Story

Uncovering the Next Era of Background Verification: What to expect