A new law that defines how companies should process users’ data came into force with the President giving assent to the Digital Personal Data Protection (DPDP) Act passed by Parliament in the just-concluded monsoon session.
The law arms individuals with greater control over their data while allowing companies to transfer users’ data abroad for processing, except to nations and territories restricted by the Centre through notification. It also gives the government power to seek information from firms and issue directions to block content. While the new law seeks to establish a robust framework for the protection of personal data in the digital realm, it has drawn criticism from some quarters over broad exemptions granted to state entities and some of its provisions diluting the landmark Right to Information (RTI) law.
The new legislation comes after the government, last year, withdrew a December 11, 2019 bill that had alarmed tech companies like Facebook and Google with its proposals for stringent restrictions on cross-border data flows.
Here are key takeaways from the freshly-minted, landmark law:
OBLIGATIONS OF DATA FIDUCIARY: Data fiduciaries, which are entities collecting and processing personal data, are required to obtain free, informed and unconditional consent from individuals before processing their data. Data must be deleted when its purpose has been fulfilled or consent is withdrawn. Entities must protect personal data in their possession by taking reasonable security safeguards to prevent a data breach, and alert Data Protection Board of India and affected persons when data breach occurs. A Data Fiduciary has to publish the contact information of a Data Protection Officer or a person who will answer questions about the processing of personal data. Data Fiduciary will have to establish an effective grievances redressal mechanism.
RIGHTS & RESPONSIBILITIES OF INDIVIDUALS: Individuals have the right to access the personal data collected about them and know with whom it has been shared. They can request the deletion, correction, or updating of their personal data. In case of grievance, they can approach such a mechanism set up by data fiduciaries. The rights, however, come with certain duties. They cannot impersonate another individual while providing personal data, cannot register a false complaint, or suppress material information. Breach of duties can be punishable with a penalty of up to Rs 10,000.
SPECIAL PROVISIONS: The government can restrict the transfer of personal data to certain countries for security and sovereignty reasons. It can also exempt certain classes of fiduciaries, including startups, from complying with specific provisions.
POWERS OF GOVERNMENT: The government can order the blocking of a data fiduciary after a hearing based on the recommendation of a Data Protection Board. Immunity from legal proceedings is extended to the central government, the board, its chairperson, and members. Decisions of the board are now appealable before TDSAT.
TIMELINES: The Lok Sabha approved the bill on August 7, and Rajya Sabha on August 9, marking the completion of Parliamentary approval process. The government expects to implement DPDP within 10 months, IT Minister Ashwini Vaishnaw had said. The draft bill had been circulated in November 2022 for public comments, after the Government withdrew a previous version of data protection bill from Lok Sabha on August 3, 2022.
APPLICABILITY: Personal data is defined as data about an individual. The norms will apply to personal data collected in digital form, from individuals in India, and personal data collected offline but digitised subsequently. It will also apply to processing outside India, if it has to do with offering goods or services to individuals in India. The Act does not apply to personal data processed by an individual for any domestic purpose, nor to personal data made publicly available by an individual.
PROCESSING OF PERSONAL DATA: Processing means activities related to digital personal data, including collection, storage, indexing, sharing, use, disclosure, dissemination and even erasure. Personal data can be processed only for a lawful purpose for which an individual has given consent and for certain legitimate uses. For consent, notice has to be given by a data fiduciary (data using entity) to the data principal (individual) describing the data and purpose to be processed, also the manner in which the individual can make a complaint to the data protection board.
CONSENT: Consent of individuals should be free, unambiguous, and clear affirmative action, agreeing to processing of personal data only for the specified purpose. This means even if consent is for other purposes, say where a telemedicine app seeks access to users’ contact list, the consent will be considered to be limited only to the actual purpose of data being collected (telemedicine services). Consent can be withdrawn at any time.
Pingback: Deloitte sought independent external probe into Hindenburg allegations; Adani firm says reasons for resignation not convincing