PDPB (Digital Personal Data Protection Bill)

What is PDPB ? What will the data protection bill do?

The Bill establishes requirements for businesses handling and processing data and individual rights. Its purpose is to prohibit cross-border data transfers, penalize firms for data breaches, and provide a framework for the establishment of a data protection body to ensure compliance.

The PDPB states that it applies to “the processing of digital personal data within India where such data is collected online, or collected offline and is digitized” as well as “such processing outside India if it is for offering goods or services or profiling individuals in India.”?

Noncompliance and failure can result in penalties for businesses and institutions. The companies or organizations will also be compelled to discontinue retaining user data if it no longer serves the intended business purpose.

Similar to the EU's General Data Protection Regulation (GDPR), the bill is designed to protect the individuals within its purview, even when their data is processed by companies or other data fiduciaries outside of India.?

What is Personal Data ?

Personal data is defined under the PDPB as “any data about an individual who is identifiable by or in relation to such data.”

Any information that can be used to identify a specific individual. This can include but is not limited to, names, addresses, phone numbers, email addresses, and demographic information.

"There is no mention of Sensitive Personal information explicitly in the bill"

Some Key Terminology

Data Fiduciary - who collects data on behalf of others

Data Principal - the individual whose data is being collected)

Data Processor - an organization that processes data on behalf of a data fiduciary

Data Protection Officer - individual & ensuring compliance with data protection laws

Data Principles: Rights for Citizens

• Right to Information: Data principals have the right to access information about the processing of their personal data, along with a summary of the data itself.?
• Right to Withdraw Consent: Individuals can withdraw their consent for data processing at any point and are entitled to be informed if their data has been shared with a third party.?
• Right to Correction and Erasure: Data principals have the authority to rectify inaccuracies in their personal data and request the erasure of such data when no longer necessary.?
• Right of Grievance Redressal: This empowers data principals to register complaints with the data fiduciary. Grievances can be escalated to the Data Protection Board in cases of inadequate or unsatisfactory responses.

The bill outlines certain obligations for Data Principals, including refraining from providing false information and filing false complaints.

Responsibilities of Data holding companies

• Transparency: Data fiduciaries must transparently explain the personal data they intend to collect and the purpose behind the collection.?
• Informed Consent: Prior informed consent is mandatory for collecting an individual's personal data. Withdrawal of Consent: Individuals retain the right to withdraw consent anytime.?
• Data Accuracy: Measures should be implemented to ensure the accuracy and completeness of processed data.?
• Security Measures: Adequate security measures must be in place to prevent data breaches.?
• Data Retention: Data should only be retained as long as required for the intended purpose.?
• Data Breach Notification: In the event of a data breach, the Data Protection Board and affected data principals must be notified.?
• Data Sharing: Data fiduciaries should establish contracts before sharing or transferring data to other fiduciaries or data processors. For larger data organizations, the bill mandates appointing a data protection officer and an independent auditor for periodic compliance audits.

Penalties for Non-compliance

Violations of the requirements for data principals may result in fines of up to 10,000 rupees.

Noncompliance for violations by data fiduciaries and significant data fiduciaries may result in fines of up to 250 crore rupees and a minimum of Rs 50 crore. The amount of the penalty imposed depends on the violation, its impact or potential impact, the type of personal data affected, and other factors.?

India's Personal Data Protection Bill is about to become the latest international law that helps protect the individual's privacy rights. The enactment of this bill will make India a safe country in which to handle and process personal information. The bill's current version reflects how much effort and debate went into it, and its passing would mean India has a comprehensive data privacy law in place to protect the more than 760 million active internet users in the country.

P.S : Sharing my understanding of this topic. Feel free to overlook any errors or omissions. Open to enriching discussions!