Digital Personal Data Protection Bill: What rights users get
The Digital Personal Data Protection Bill 2023 has been passed by both houses of the Parliament. The legislation will be the country's first law to protect personal data. The Bill has been in the making since 2019. Now, it is close to being implemented by the government. This is a good time to look at users' rights under the Digital Personal Data Protection Bill.
Why does this story matter?
The right to privacy became a fundamental right in India in 2017. There have been calls to protect the digital personal data of Indian citizens since then. The Digital Personal Data Protection Bill puts the onus on companies to protect the personal data of users. It also gives users multiple rights to ensure their data isn't being mishandled.
Personal data helps identify a person directly or indirectly
Rights can be beneficial only if people understand what they are meant for. Therefore, it is imperative to understand what personal data means. The Bill defines personal data as any data that can help identify an individual directly or indirectly. For instance, name and contact information are directly related to a person, while vehicle number and location are indirect identifiers.
Companies require consent of users to process data
The Bill talks about user consent. For the first time, data fiduciaries (companies) in India can process personal data only with the consent of users. Consent must be obtained through a clear and legible notice that includes the details of collected data and the purpose of processing. However, the consent of users is not required for "legitimate uses."
What is included in legitimate uses?
"Legitimate uses" include specified purposes for which the individual provided data voluntarily. Employers can use the data of employees for employment purposes. "Legitimate uses" also include services provided by the government and medical emergencies.
Consent can be withdrawn at any time
The consent obtained from users won't extend beyond the specific purpose for which data will be processed. Data fiduciaries also have to delete personal data if the purpose of its collection is not being served anymore. Users can seek legal recourse if companies do not follow this. Lastly, the consent given by users can be withdrawn at any time.
Users can seek correction or erasure of their data
The Bill offers a novel system where users can decide what happens with their data. It empowers users to obtain information about what is being done with their data. They can also seek a summary of their data. They can ask for correction and erasure of personal data and nominate another person to exercise their rights in case of death or incapacity.
