Context:
Recently, the Digital Personal Data Protection Bill, 2023, was introduced in Parliament.
More on News:
- It lays out procedures on how corporations and the government itself can collect and use information and personal data of India’s citizens.
- Personal Data: Any data about an individual who is identifiable by or in relation to such data.
About the Digital Personal Data Protection Bill, 2023:
- Aim: It aims to provide strong protection and privacy of personal data.
- Applicability: It applies to the processing of digital personal data within India and may also apply outside India if it is for offering goods or services in India.
Consent for Personal Data Processing:
- Obtaining Consent: Personal data may be processed only after obtaining the consent of the individual.
- Consent may be withdrawn at any point in time.
- Details in Notice: A notice should contain details about the personal data to be collected and the purpose of processing.
- Exemptions: Consent will not be required for legitimate uses such as the provision of benefit or service by the government and medical emergency.
Rights and Duties of Data Principals (the person to whom the data relates):
- Information: Data principals have the right to obtain information about processing.
- Correction and Erasure: Data principals can seek correction and erasure of personal data.
- Nomination: Data principals can nominate another person to exercise their rights in the event of death or incapacity.
- Grievance Redressal: Data principals have the right to grievance redressal.
- Duties: Data principals must not register a false or frivolous complaint and furnish any false particulars or impersonate another person in specified cases.
- Penalties: Violation of duties will be punishable with a penalty of up to ₹10,000.
Data Fiduciaries (persons, companies and government entities who process data):
- Obligations: Data fiduciaries must make reasonable efforts to ensure the accuracy and completeness of data and build reasonable security safeguards to prevent a data breach.
- Breach Notification: Data fiduciaries must inform the Data Protection Board of India and affected persons in the event of a data breach.
- Erase Personal Data: Data fiduciaries must erase personal data as soon as the purpose has been met and retention is not necessary for legal purposes (storage limitation).
Significant Data Fiduciaries:
- Certain data fiduciaries may be designated as significant data fiduciaries, who will have certain additional obligations including appointing a data protection officer and undertaking impact assessment and compliance audit.
- Certain factors must be taken into regard such as:
- Volume and sensitivity of personal data processed
- Risks to the rights of data principals
- Security of the state
- Public order
Additional Obligations on these Significant Data Fiduciaries:
- Appointing a Data Protection Officer
- Undertaking impact assessment and compliance audit
Exemptions:
- Rights of the data principal and obligations of data fiduciaries (except data security) will not apply in specified cases. These include:
- Prevention and investigation of offenses
- Enforcement of legal rights or claims
- The Central Government may, by notification, exempt certain activities from the application of the Bill. These include:
- Processing by government entities in the interest of the security of the state and public order
- Research, archiving, or statistical purposes
About Processing of Personal Data of Children:
- Restrictions: Data fiduciaries must not undertake processing that is likely to cause any detrimental effect on the well-being of the child, and tracking, behavioral monitoring, or targeted advertising.
- Penalties: Violation of restrictions will be punishable with a penalty of up to ₹5 lakh for each offense.
- Exemptions:
- State Processing: Rights of the data principal and obligations of data fiduciaries (except data security), will not apply in cases of prevention and investigation of offenses, and enforcement of legal rights or claims.
- Notification: The central government may notify certain activities from the application of the Bill. These include processing by government entities in the interest of state security and public order, and research, archiving, or statistical purposes.
About Cross-border Transfer of Data:
- The Bill allows the transfer of personal data outside India, except to countries restricted by the government through notification.
Data Protection Board of India:
- Establishment:
- The Central Government will establish the Data Protection Board of India.
- Board Members:
- Appointment: Board members will be appointed for two years and will be eligible for reappointment.
- Concern: The short term with scope for reappointment may affect the independent functioning of the Board.
- Key Functions:
- Monitoring compliance and imposing penalties
- Directing data fiduciaries to take necessary measures in the event of a data breach
- Hearing grievances made by affected persons
Key Issues and Analysis:
- Violation of Fundamental Right to Privacy: Exemptions to data processing by the state on grounds such as national security may lead to Violation of fundamental right to privacy.
- Right to Data Portability and Right to be Forgotten: The Bill does not grant the right to data portability and the right to be forgotten to the data principal.
- Risks of Harms: The Bill does not regulate risks of harms arising horn processing of personal data.
- Transfer of Personal Data outside India: The mechanism for restrictions on transfer of personal data outside India may not ensure adequate evaluation of data protection standards in the countries where transfer of personal data is allowed.
News Source: The Hindu
To get PDF version, Please click on "Print PDF" button.