In News: The Digital Personal Data Protection Bill, 2022 (DPDP Bill, 2022) is currently open for public input and is slated to be presented in Parliament during the Monsoon session of 2023. It focuses on data protection regulations.
The Digital Personal Data Protection Bill:
Key features of the bill
(1) Data Principal and Data Fiduciary
- The bill uses the term “Data Principal” to denote the individual whose data is being collected.
- The term “Data Fiduciary” the entity (can be an individual, company, firm, state etc.), which decides the “purpose and means of the processing of an individual’s personal data.”
- The law also makes a recognition that in the case of children –defined as all users under the age of 18— their parents or lawful guardians will be considered their ‘Data Principals.’
(2) Defining personal data and its processing
- Under the law, personal data is “any data by which or in relation to which an individual can be identified.”
- Processing means “the entire cycle of operations that can be carried out in respect of personal data.”
- So right from collection to storage of data would come under processing of data as per the bill.
(3) Individual’s informed consent
- The bill also clarifies that an individual needs to give consent before processing their data.
- Every individual should know what items of personal data a Data Fiduciary wants to collect and the purpose of such collection and further processing.
- Individuals also have the right to withdraw consent from a Data Fiduciary.
- The bill also gives consumers the right to file a complaint against a ‘Data Fiduciary’ with the Data Protection Board in case they do not get a satisfactory response from the company.
(4) Language of information
- The bill also ensures that individuals should be able to “access basic information” in languages specified in the eighth schedule of the Indian Constitution.
- Further, the notice of data collection needs to be in clear and easy-to-understand language.
(5) Significant Data Fiduciaries
- The bill also talks of ‘Significant Data Fiduciaries, who deal with a high volume of personal data.
- The Central government will define individuals designated under this category based on various factors. These factors will range from the volume of personal data processed to the risk of harm and the potential impact on India’s sovereignty and integrity.
(6) Data protection officer & Data auditor
- Such entities will have to appoint a ‘Data protection officer’ who will represent them.
- They will be the point of contact for grievance redressal.
- They will also have to appoint an independent Data auditor who shall evaluate their compliance with the act.
(7) Right to erase data, right to nominate
- Data principals will have the right to demand the erasure and correction of data collected by the data fiduciary.
- They will also have the right to nominate an individual who will exercise these rights in the event of death or incapacity of the data principal.
(8) Cross-border data transfer
- The bill also allows for cross-border storage and transfer of data to “certain notified countries and territories.”
- However an assessment of relevant factors by the Central Government would precede such a notification.
(9) Financial penalties
- The draft also proposes to impose significant penalties on businesses that undergo data breaches or fail to notify users when breaches happen.
- Entities that do not take “reasonable security safeguards” to prevent personal data breaches could face fines as high as Rs 250 crore.
- As per the draft, the Data Protection Board — a new regulatory body to be set up by the government — can impose a penalty of up to ₹500 crore if non-compliance by a person is found to be significant.
- The current legal framework in India lacks provisions for unauthorized access to personal data or interception without consent.
- Data protection law must regulate mass surveillance initiatives like Crime and Criminal Tracking Network and Systems (CCTNS), the Central Monitoring System (CMS), or the National Intelligence Grid (NatGrid) to be effective.
- Data Protection Bill, 2021 didn’t improve the draft law by Justice B N Srikrishna, but worsened its flaws.
Read Also: Competitive Federalism