The Digital Personal Data Protection Bill, 2023, was passed in the Lok Sabha on Monday. It was presented last week in the parliament by Union Communications, Electronics, and Information Technology Minister Ashwini Vaishnaw. However, this bill faced strong opposition from Opposition leaders who contended that it infringes upon the fundamental right to privacy.
The Opposition urged that the bill be referred to the standing committee for a thorough examination, citing the government's withdrawal of a data protection bill last year and the need for a more comprehensive review of the new proposal.
Vaishnaw, in response, asserted that the bill is not classified as a money bill and reassured that all concerns raised by the opposition would be addressed during the debate.
Rajeev Chandrasekhar, the MoS for Electronics and Information Technology, emphasised that the bill aims to safeguard the rights of all citizens while fostering the growth of the innovation economy. He also stated that the bill would enable the government's lawful and legitimate access in matters of national security and emergencies, such as pandemics and earthquakes.
Furthermore, Chandrasekhar highlighted that the Digital Personal Data Protection Bill is designed to be a global standard, contemporary, future-ready, and yet simple and easy to comprehend.
To understand the Bill better, let us break down the various elements.
Digital Personal Data Protection Bill, 2023: Who Does It Apply To?
This comprehensive legislation has broad application, covering data collected both online and offline, as long as it is later digitised. Moreover, it extends its reach beyond Indian borders, as it also governs the processing of personal data from outside India, provided such data is used for offering goods or services within the country.
To provide clarity, the bill defines personal data as any information that pertains to an individual and makes them identifiable through such data. Furthermore, the term "processing" encompasses a range of activities carried out on digital personal data, whether fully or partially automated. This includes the collection, storage, usage, and sharing of such data.
The introduction of this bill marks a critical step in the Indian government's efforts to ensure the protection of individual data rights, and it will likely have far-reaching implications for businesses, both domestic and international, operating within the country's digital landscape. As the legislative process unfolds, it will be interesting to see how stakeholders respond and adapt to the changing data protection landscape in India.
Digital Personal Data Protection Bill, 2023: What About Users’ Consent?
As explained by the I&B Ministry, consent reigns as a crucial factor in the Bill. Before any processing of personal data can take place, it must have a lawful purpose, and consent from the individual is paramount. But obtaining this consent is no mere formality — a transparent notice must be provided beforehand, offering explicit details about the data to be collected and the intended purpose of processing.
The power to decide doesn't end with granting consent; individuals retain the right to withdraw it at any given time. However, there are instances where consent isn't mandatory, known as 'legitimate uses.' For instance, if the data is provided voluntarily by the individual for a specific purpose, consent might not be required. The government may also provide benefits or services without seeking explicit consent, and in cases of medical emergencies or employment scenarios, consent might be waived too.
Special attention is given to individuals below 18 years of age, as they require the consent of either their parent or legal guardian. This ensures that the processing of their personal data is conducted responsibly and with due consideration for their well-being and privacy.
Digital Personal Data Protection Bill, 2023: What Rights Will Users Have?
As per the Bill, the rights of the data principal (whose data is being processed) take centre stage. As an individual whose data is being processed, they are endowed with several crucial rights.
Firstly, they have the right to access information about how their data is being processed, empowering them with transparency and accountability.
Secondly, if they spot any inaccuracies or discrepancies in their personal data, they hold the right to seek its correction or even its erasure if deemed necessary.
Thirdly, data principals can designate another person to exercise their data rights in the unfortunate event of their death or incapacity.
And lastly, to ensure a seamless and fair process, they have the right to seek grievance redressal in case of any data-related issues.
However, along with rights come duties. Data principals must act responsibly and refrain from registering false or frivolous complaints that could potentially waste valuable resources and time. Additionally, it is imperative that they furnish truthful and accurate information, avoiding any impersonation or providing false particulars, especially in specified cases.
The consequences of violating these duties can be significant. In such instances, a penalty of up to Rs 10,000 may be imposed.
Digital Personal Data Protection Bill, 2023: What Will Be The Function Of Data Protection Board?
The Centre plans to establish the Data Protection Board, which will play a pivotal role in safeguarding individuals' personal data and ensuring that data fiduciaries adhere to the prescribed regulations.
At the core of its responsibilities, the Data Protection Board will monitor compliance with data protection laws and impose penalties on entities found in violation. This enforcement mechanism aims to hold data fiduciaries accountable for their data processing practices, fostering a culture of responsibility and trust.
Moreover, the Board will have the authority to direct data fiduciaries to take appropriate measures in case of a data breach. Swift action in the event of such incidents is crucial to minimise potential damages and ensure that affected individuals' rights are protected.
Another crucial function of the Board is to provide a platform for hearing grievances made by affected persons. This avenue will empower individuals to raise concerns and seek recourse if they believe their data rights have been compromised, further enhancing transparency and accountability.
Board members will be appointed for a term of two years and have the possibility of being re-appointed. This ensures continuity and expertise in data protection matters, as the members gain experience and insight during their tenure.
Digital Personal Data Protection Bill, 2023: Who Are Data Fiduciaries? What Responsibilities Do They Have?
Data fiduciaries bear significant responsibilities as the entities responsible for determining the purpose and means of data processing. These obligations are critical to ensuring the safety and privacy of individuals' personal information.
Firstly, data fiduciaries are required to make reasonable efforts to ensure the accuracy and completeness of the data they handle. This helps in maintaining data integrity and reliability, ensuring that individuals' information is not misused or compromised.
Secondly, building robust security safeguards is essential to prevent data breaches. Data fiduciaries must implement measures to protect data from unauthorised access or theft, safeguarding sensitive information and maintaining trust between the data principal and the fiduciary.
In the unfortunate event of a data breach, data fiduciaries have a duty to promptly inform both the Data Protection Board of India and the affected individuals. This transparent communication allows for swift action to be taken, mitigating the potential damages and ensuring accountability.
Furthermore, data fiduciaries must adhere to the principle of storage limitation. As soon as the purpose for data processing has been fulfilled, personal data should be promptly erased, and retention should not be continued unless required for legal reasons.
However, it is important to note that certain exceptions apply to government entities. In their case, the principles of storage limitation and the right to erasure for data principals may not be applicable due to the specific nature of governmental functions and legal requirements.
By adhering to these obligations, data fiduciaries play a vital role in upholding data protection standards, fostering trust between individuals and organisations, and safeguarding the privacy and security of personal information. As data protection regulations evolve, it is crucial for all stakeholders to be aware of and comply with these responsibilities to maintain a secure and ethical data ecosystem.
Some data fiduciaries may be identified as significant data fiduciaries based on certain criteria. Factors such as the volume and sensitivity of personal data processed, the potential risks to the rights of data principals, the security of the state, and considerations of public order play a role in determining this designation.
For those designated as significant data fiduciaries, there are additional obligations that they must adhere to. Firstly, they are required to appoint a data protection officer, whose responsibility is to oversee and ensure compliance with data protection regulations within the organisation. This step aims to enhance accountability and safeguard the privacy of individuals' data.
Secondly, significant data fiduciaries must conduct impact assessments and compliance audits. This involves a systematic evaluation of the data processing activities, analyzing potential risks to individuals' rights, and ensuring alignment with data protection standards. By doing so, these entities can identify and address any areas of concern and maintain a higher level of data protection.
These additional obligations are crucial in ensuring that significant data fiduciaries handle personal data responsibly, with due consideration to the rights and privacy of data principals.
Digital Personal Data Protection Bill, 2023: Are There Any Exemptions?
Some exceptions have been carved out in the Bill where certain rights of the data principal and obligations of data fiduciaries do not apply. As we delve into these specified cases, it becomes apparent that some crucial circumstances fall outside the purview of the Data Protection Bill.
Firstly, when it comes to the prevention and investigation of offences, and the enforcement of legal rights or claims, data fiduciaries enjoy certain leeway in applying the rights of data principals and fulfilling their obligations — excluding data security, which remains a critical aspect regardless of the context.
Additionally, the central government wields the power to exempt specific activities from the application of the Bill through notifications. The exempted activities encompass processing undertaken by government entities in the interest of the security of the state and maintaining public order. Moreover, activities pursued for research, archiving, or statistical purposes also find themselves under this exemption umbrella.
These exceptions form a pivotal part of the Data Protection Bill, providing clarity on scenarios where certain rights and obligations need not be strictly enforced. However, it is essential to strike a balance between safeguarding individual data rights and accommodating necessary activities that contribute to the greater good, such as national security and research advancements.
As the Bill progresses, stakeholders will closely observe the implications of these exceptions, and ensuring that they are appropriately applied becomes crucial to building a robust and responsible data protection framework.
Digital Personal Data Protection Bill, 2023: Will Special Considerations Play A Role When Handling Children’s Data?
When dealing with the personal data of a child, data fiduciaries are bound by specific restrictions to protect their well-being. Such processing must refrain from engaging in activities that may have adverse effects on the child's welfare.
Moreover, data fiduciaries are prohibited from conducting tracking, behavioural monitoring, or engaging in targeted advertising related to the child's data. These measures are put in place to ensure that children's privacy and safety are upheld during data processing activities.
Digital Personal Data Protection Bill, 2023: What About Cross-Border Data Transfers?
The proposed Bill permits the transfer of personal data outside India, with the exception of countries that have been restricted by the government through official notification.
Digital Personal Data Protection Bill, 2023: Finally, What About Penalties?
The Bill outlines penalties for various offences, aiming to maintain accountability and enforce strict adherence to data protection standards.
For non-fulfilment of obligations concerning the data of children, data fiduciaries may face penalties of up to a staggering Rs 200 crore. This emphasises the gravity of safeguarding the well-being and privacy of children during data processing activities.
Additionally, failure to implement adequate security measures to prevent data breaches carries hefty consequences. Data fiduciaries found wanting in this regard may be subject to penalties of up to Rs 250 crore, underscoring the importance of robust security measures to safeguard personal data from unauthorised access or theft.
Subscribe And Follow ABP Live On Telegram: t.me/officialabplive