The Digital Personal Data Protection Bill, 2023, aims to ensure the privacy and security of personal data in the digital realm, with provisions governing consent, rights of individuals, obligations of data fiduciaries, and the establishment of a regulatory body for oversight and enforcement.
- Applicability: The Bill applies to the processing of digital personal data within India. This includes data collected online or offline, which is then digitized. It also extends to the processing of personal data outside India if it involves offering goods or services within the country. Personal data is defined as any information that can identify an individual. Processing encompasses various operations on this data, such as collection, storage, use, and sharing.
- Consent: Processing of personal data is permissible only for lawful purposes and after obtaining the consent of the individual. Consent must be preceded by a clear notice that specifies the data to be collected and the intended processing purpose. Consent can be withdrawn at any time. Certain instances, known as 'legitimate uses,' do not require consent, such as situations where data is provided voluntarily, government service provision, medical emergencies, and employment. For individuals under 18, parental or legal guardian consent is necessary.
- Rights and Duties of Data Principals: Individuals (data principals) whose data is being processed have several rights, including obtaining information about data processing, requesting data correction and erasure, nominating representatives in case of incapacity, and accessing grievance redressal mechanisms. Data principals also have duties, including not making false complaints or providing misleading information. Failure to adhere to these duties can lead to penalties of up to Rs 10,000.
- Obligations of Data Fiduciaries: Data fiduciaries, the entities determining data processing purposes, must ensure data accuracy, implement security safeguards to prevent breaches, notify the Data Protection Board of India and affected parties in case of breaches, and erase data when its purpose is fulfilled, and retention is not legally required. Government entities have exemptions from certain obligations.
- Significant Data Fiduciaries: Some data fiduciaries can be designated as significant, based on factors like data volume, sensitivity, risks to rights, security considerations, and public order. These entities have extra responsibilities, including appointing data protection officers and conducting impact assessments and compliance audits.
- Child Data Protection: While processing a child's data, data fiduciaries must avoid activities that might harm the child's well-being and must not engage in tracking, behavioral monitoring, or targeted advertising.
- Cross-Border Data Transfer: The Bill permits transferring personal data outside India, except to countries restricted by government notifications.
- Data Protection Board of India: The central government will establish the Data Protection Board of India, responsible for monitoring compliance, imposing penalties, directing data fiduciaries during breaches, and addressing grievances. Board members will serve two-year terms and can be reappointed.
- Penalties: The Bill outlines penalties for offenses, including up to Rs 200 crore for non-compliance with child protection obligations and up to Rs 250 crore for failure to implement security measures against data breaches.
- Exemptions: Certain situations, such as crime prevention, investigation, or enforcing legal claims, are exempt from the rights of data principals and some obligations of data fiduciaries (except data security). The central government can also exempt activities like state security processing and research purposes through notifications.
In essence, the Digital Personal Data Protection Bill, 2023 strives to create a robust legal framework that safeguards personal data in the digital realm while balancing individual rights with legitimate interests and public security concerns.
