Personal data includes information that can be used to identify a person. This data is utilized by businesses and governments to offer products and services. It helps them understand individual preferences, leading to personalized experiences, targeted advertisements, and recommendations. Law enforcement can also benefit from this data. However, the uncontrolled use of personal data poses a threat to privacy, which is considered an essential right. It could result in issues like financial loss, damage to one’s reputation, and discriminatory profiling.
India currently does not have a dedicated legislation to protect data. Under the Information Technology (IT) Act 2000. The use of personal data is regulated. In an effort to address this gap, the government established a panel of experts headed by Justice B.N. Srikrishna in 2017 to examine data protection measures.
The researchers presented their findings in July 2018, which led to the introduction of the Personal Data Protection Bill 2019 in Lok Sabha in December 2019. The bill was then referred to a Joint Parliamentary Committee, and their report was shared in December 2021. However, the bill was later withdrawn in August 2022. In November 2022, a Draft Bill seeking public opinions was released. Finally, in August 2023, the Digital Personal Data Protection Bill 2023 was introduced in Parliament.
The new Bill has some important points:
- The bill applies to the management of personal data in India, whether it is collected online or converted to digital format after offline collection. It also pertains to data processing conducted outside of India, but only if it is done for the purpose of providing goods or services within India.
- Personal data can only be used for legitimate purposes and with the explicit consent of the individual it pertains to. There are certain situations where consent may not be necessary, such as when an individual willingly shares their data or when government agencies utilize it for licensing and essential services.
- Data fiduciaries, the individuals responsible for managing data, have the critical task of ensuring its accuracy and safety. Equally important is their responsibility to promptly delete the data once it is no longer required.
- Every individual has the right to access information, rectify their personal data, and have their grievances addressed.
- Certain parts of the Bill can be exempted by the government for its own agencies in cases related to national security or public safety.
- If the rules in the Bill are not followed, a specialized group called the Data Protection Board of India will be responsible for making decisions.
Important Considerations and Evaluation of the Digital Personal Data Protection Bill 2023
- If exemptions for state data processing, particularly related to national security, are allowed, there is a risk of collecting, processing and retaining more data than required. This could potentially compromise the right to privacy.
- The Bill overlooks addressing the potential harms of handling personal data.
- The rights to data portability and the right to be forgotten for data subjects are not included in the Bill.
- The Bill allows for the transfer of personal data overseas, with the exception of countries specified by the government. This approach may not guarantee a thorough evaluation of data protection standards in these approved countries.
- The members of the Data Protection Board of India will have a two-year term, with the possibility of being re-appointed. This relatively short tenure and potential for reappointment could potentially impact the impartial functioning of the Board.
How does the bill work?
The proposed Bill requires companies, referred to as ‘data fiduciaries’, to enhance the protection of digital data collected from individuals, also known as ‘data principals’. This includes providing clear information to individuals about the data being collected and its intended use, appointing a Data Protection Officer with accessible contact details, and granting users the ability to delete or modify their personal data. These requirements align with similar obligations found in other global data protection laws, such as the European Union’s General Data Protection Regulation.
The Bill proposes penalties ranging from ₹50 crore to ₹250 crore for companies that fail to ensure the security of user data or comply with disclosure rules. These penalties can accumulate, meaning that a single company could face multiple fines for each violation.
The Union government will later announce additional criteria that will determine which companies are labeled as ‘significant’ data fiduciaries. These companies will be subject to stricter regulations, including undergoing data audits and conducting ‘Data Protection Impact Assessments.’
The Bill also establishes the Data Protection Board of India (DPBI), which will be responsible for overseeing data protection measures. The board members will be appointed by the Union Government through official notifications.
How Does the Digital Personal Data Protection Bill 2023 Ensure and Uphold Consumer Privacy?
By empowering individuals to control their personal data and holding companies responsible for how they handle data, the bill strives to create a safer and more privacy-conscious digital landscape for Indian consumers. Here is how it protects consumer privacy.
- Enhanced Data Transparency and Consent: The Digital Personal Data Protection Bill 2023 aims to enhance consumer privacy by promoting transparency and giving individuals more control over their personal data. It requires companies, referred to as ‘data fiduciaries,’ to provide clear information to individuals, who are called ‘data principals,’ about the data collected, its purpose, and how it will be used. This allows consumers to make informed decisions regarding sharing their data. In addition, the bill emphasizes obtaining explicit consent from individuals before processing their data, ensuring that personal information is only used for agreed-upon purposes.
- Strengthened User Rights: The bill provides individuals with strong rights to control their personal information. Consumers have the right to access, correct, and request deletion of their data when it is no longer needed. Having control over their personal information allows consumers to take charge of their digital presence and have a voice in determining how their data is handled.
- Stringent Data Protection Measures: In order to protect consumer privacy, the bill includes strict regulations for data fiduciaries. These requirements include implementing robust security measures to safeguard collected data from unauthorized access and breaches. Furthermore, data fiduciaries are required to appoint a designated Data Protection Officer who will be responsible for ensuring compliance with the law and addressing any concerns related to data.
- Accountability and Enforcement: The bill imposes strict penalties for non-compliance, holding companies accountable for safeguarding consumer data and meeting disclosure obligations. Significant fines can be levied on businesses that fail to adequately protect customer information. This incentivizes organizations to prioritize privacy and take data protection seriously. To ensure accountability, the legislation establishes the Data Protection Board of India (DPBI), which will oversee and enforce data protection regulations. Individuals will have the means to address concerns regarding privacy through this regulatory body.
The Digital Personal Data Protection Bill 2023 covers various important aspects to ensure strong protection of consumer privacy.
- Scope: The Bill applies to the handling of digital personal information within India, whether obtained online or converted from offline sources into digital format. It also applies to handling personal data abroad if it is connected to providing goods or services within India. Personal data refers to information that can identify an individual, and processing includes automated or partially automated actions such as collection, storage, use, and sharing.
- Consent: Obtaining consent is a key focus of the Bill, ensuring that personal data is only processed with clear and informed consent from individuals. The Bill emphasizes the importance of providing clear notices to individuals about what data will be collected and how it will be used, allowing them to make an informed decision regarding consent. Importantly, individuals retain the right to withdraw their consent at any time. It’s worth noting that consent is not required for certain legitimate uses, such as voluntarily shared data, government-provided benefits or services, medical emergencies, or employment purposes.
- Rights and Duties of Data Principals: Data Principals, those whose data is being processed, have specific rights and duties. Data principals have the right to access details about how their data is being processed, as well as the ability to correct or erase personal data if necessary. In cases of incapacity or death, they can also nominate a representative to act on their behalf. If any grievances arise regarding their data processing, they have the right to seek resolution. Alongside these rights, data principals also have certain responsibilities.
- Transfer of Data Outside India: According to the Bill, personal data transfers outside of India are allowed, except for countries that have been approved by the central government through notification.
- Penalties: The Bill establishes penalties for different offenses, such as up to Rs 200 crore for non-compliance with regulations regarding children’s data and up to Rs 250 crore for inadequate prevention of data breaches. The Board is responsible for imposing these penalties after conducting inquiries.
To summarize, the Digital Personal Data Protection Bill 2023 aims to protect consumer privacy by promoting transparency, enhancing user rights, implementing strict data protection measures, and establishing a strong system of accountability and enforcement. The Digital Personal Data Protection Bill 2023 is an important legislation that aims to protect individuals’ personal data. It establishes a strong framework based on consent-driven processing, rights enforcement, and stringent obligations for data handlers. The bill also sets up a regulatory body to ensure compliance and accountability.