Union Cabinet approves Personal Data Protection Bill: What it entails
India is being ushered into a new era of digital privacy. Today, the Union Cabinet approved the draft of the Digital Personal Data Protection Bill, 2022. The Bill is expected to be tabled in the parliament's monsoon session. It is part of the government's vision for a broader framework of technology regulations that includes the Digital India Act. Let's see what the Bill entails.
First draft of the Bill was introduced in November 2022
In 2019, the government introduced the Personal Data Protection Bill, 2019 in the parliament. In August 2022, the Bill was withdrawn. In November 2022, the first draft of the Digital Personal Data Protection Bill was released. It underwent multiple rounds of public consultations. A second draft was prepared taking into consideration the feedback received during consultations. Now, it has been approved.
The Bill is about the processing of personal data
The Bill concerns the processing of digital personal data in India. It can be data collected online or offline and later digitized. Personal data is information that is directly related to an individual like name and contact information or indirect data such as vehicle numbers, location, and employee code, among others. To be personal data, it should help in identifying an individual.
It also applies to data collected outside India
The Bill's jurisdiction extends outside India too. In this case, personal data collected outside India should be used for offering goods or services in India. It also includes data collected for profiling individuals in India.
Individual's consent is required for processing data
The Bill calls the individuals whose data is being processed 'Data Principals.' Per the Bill, data can only be processed after obtaining the consent of the individual. To obtain consent, companies must provide a notice that includes the details of the collected data and the purpose of processing. Individual's consent is deemed in cases where data processing is necessary.
Data Principals can withdraw their consent to process data
Data Principals have multiple rights under the Bill. They can seek the summary of their data, withdraw consent to processing their personal data, seek correction or erasure of their data, and nominate another person to exercise their rights in case of death or incapacity. Individuals can also approach companies for any grievance related to data processing.
Individuals have certain duties under the Bill
The Bill also mentions certain duties for individuals to ensure they do not misuse their rights. Their duties include claiming rights in the manner prescribed by the Bill and not registering false or frivolous complaints.
Data Fiduciaries must implement safeguards to prevent data breaches
'Data Fiduciaries' refer to entities that process data. As the name suggests, they have a fiduciary capacity when it comes to the personal data of Data Principals. They have certain obligations under the Bill. They must implement reasonable safeguards to prevent data breaches. If there is any breach, they must inform the Data Protection Board of India and the affected individuals.
Fiduciaries should delete data after processing
Per the Bill, data fiduciaries should delete personal data after the purpose of processing data is completed. They can, however, store it if retention is necessary for legal or business purposes. Government entities are not bound by the data storage limitation. Also, data fiduciaries can transfer personal data to only countries notified by the Central government.
Data Protection Board will monitor compliance
The Data Protection Board of India will be the nodal authority under the Bill. The Board will be responsible for monitoring compliance and imposing penalties. It will also address grievances and give directions to fiduciaries in case of data breaches. The government will determine the composition of the Board and processes related to the appointment and removal of its members.
Penalties range up to Rs. 250 crore
The Bill imposes penalties for non-compliance. Penalties range from up to Rs. 10,000 for breach of duty by the Data Principal to Rs. 250 crore for the failure of the Data Fiduciary to take necessary steps to prevent data breaches. Any order of the Board imposing a penalty can be challenged before the High Court.