Under the revised Digital Personal Data Protection Bill of 2023, the following new provisions have been included:
1. Data localization requirements have been removed from the ambit of the DPDP Bill.
2. Personal data is not defined as ‘sensitive’ or ‘critical’ or recognized as other subsets.
3. There is no definition to cover non-personal data or anonymised data.
4. The data fiduciary will be required to give an itemised notice to the data principal on or before requesting for consent.
5. Data principal can give, manage, review or withdraw their consent through a consent manager. A consent manager is an entity that is accountable and acts on behalf of the data principal.
6. Data fiduciaries dealing with children’s personal data shall obtain verifiable consent of the parent or lawful guardian. It is prohibited to undertake processing such as tracking, behavioural monitoring, or targeted advertising directed at children and that is likely to cause harm to a child.
7. The Central Government may notify any data fiduciary, based on factors such as volume and sensitivity of personal data processed, risk of harm to the data principal, potential impact on the sovereignty and integrity of India, risk to electoral democracy; security of the State; public order as a significant data fiduciary. Such data fiduciary will be required to appoint a data protection officer, an independent data auditor and undertake measures such as data protection impact assessment and periodic audit.
8. The Data Protection Board of India will be established to determine non-compliance and impose penalty, issue directions, and direct the data fiduciary to adopt any urgent measures to remedy personal data breaches.
9. Data subjects do not have the right to be forgotten or the right to data portability, as it was present in the earlier versions of the draft bill.
10. The Bill allows transfer of personal data outside India, except to countries notified by the central government.
