Key provisions in Data Protection Bill, 2021

Data Protection Bill (DPB) is a proposed law to regulate the collection and processing of both personal and non-personal data. Following are key points in the DPB:

1. Why it is needed: The erstwhile Information Technology Act, 2000 is very limited in its scope, largely, focus on electronic information whereas DPB is more wider and complex law.
2. Retrospective applicability: As of now the DPB is slient about the retrospective applicability but the report issued earlier stated that the law will be applicable to any ongoing processing of data collected once the law is introduced.
3. Extra-territorial application: It will control the entities which are registered outside India but have business connection in India.
4. Data Fiduciaries and Data Processor: Entities processing personal data, may be either “Data Fiduciaries” (the entity that determines the purpose and means for processing) or “Data Processors” (the entity that processes personal data on behalf of a Data Fiduciary). These ’entities’ may be the State, a company, a non-government organization, a juristic entity or any individual. While most obligations under the DPB are applicable to data fiduciaries, limited obligations have also been imposed upon data processors, such as the necessity to implement security safeguards.
5. Data regulator: Data Protection Authority (DPA) will determine contravention of the law, determine penalties etc. Appeals order will lie before Appellate Tribunal.
6. Categories of sensitive data: Various categories have been defined for the data such as personal data, sensitive personal data, critical personal data and non-perosnal data. The classification has been done to higher the compliance as per the classification.
7. Consent managers: It is a link between individual and fiduciaries.
8. Specific provisions related to children: This new law requires thee age verification, parental consent. The DPB prohibits the profiling, tracking, or behavioral monitoring or targeted advertising directed at children and undertaking any other processing of personal data that can cause significant harm to the child.