The Digital Personal Data Protection Bill of 2023 aims to establish guidelines for the processing of digital personal data, recognizing individuals' rights to safeguard their personal information while also acknowledging the lawful need to process such data.
What is Digital Personal Data Protection Bill 2023 ?
The Digital Personal Data Protection Bill aims to manage digital personal data by balancing individuals' right to safeguard their data with the need to lawfully process such data for relevant purposes. It applies to digital personal data processing in India, including online and digitised offline data. It extends to processing outside India for offering Indian goods or services. Data Protection Board of India (DPBI) will be established to regulate the entire regime of digital personal data protection in the country.
What is importance of the Digital Personal Data Protection Bill 2023 ?
The bill's important definitions and key parties are outlined in Section 2:
"Consent Manager" refers to an entity registered with the Board, serving as a central point of contact that allows a Data Principal to provide, manage, review, and revoke their consent through an accessible, transparent, and interoperable platform.
"Data" refers to the representation of information, including facts, opinions, concepts, or instructions, suitable for communication, interpretation, or automated processing.
A "Data Fiduciary" is any person who, either alone or in collaboration with others, determines the purpose and methods of processing personal data.
"Data Principal" signifies the individual to whom the personal data pertains. For cases involving children, it includes parents or lawful guardians. Similarly, for individuals with disabilities, it encompasses their lawful guardians acting on their behalf.
Regarding the application of the Act, Section 3 stipulates the following:
The Act is applicable to the processing of digital personal data within India's borders if the data is collected in digital form or initially in non-digital form and subsequently digitized.
The Act also extends to the processing of digital personal data beyond India's borders if such processing is associated with activities related to offering goods or services to Data Principals within India.
However, the Act does not cover:
Personal data processed by an individual for personal or domestic purposes.
Personal data that is publicly available due to the Data Principal's actions or due to legal obligations to make such data accessible. For instance, if an individual publicly shares their personal data while blogging on social media, the Act's provisions would not be applicable.
Sec 6 deals with Consent:
The consent given by the Data Principal shall be free, specific, informed, unconditional and unambiguous with a clear affirmative action, and shall signify an agreement to the processing of her personal data for the specified purpose and be limited to such personal data as is necessary for such specified purpose.Consent requests must be clear, in plain language, and accessible in preferred languages.
Data Principals can withdraw consent, with the process as easy as granting consent. Consequences of withdrawal are borne by Data Principals; prior processing legality isn't affected. Upon withdrawal, Data Fiduciary must cease processing, except if required by law.
Consent can be managed, reviewed, and withdrawn through a Consent Manager. Consent Managers are accountable to Data Principals and registered with the Board. Data Fiduciary must prove notice and valid consent if consent is the basis for data processing in legal proceedings.
Section 8 deals with Responsibilities of Data Fiduciaries:
The party responsible for determining the purpose and methods of data processing, known as the data fiduciary, is bound by the following obligations:
Ensuring Accuracy and Completeness: The data fiduciary is required to make reasonable efforts to ensure that the data under its custody is accurate and complete.
Implementing Security Safeguards: Reasonable security measures must be established by the data fiduciary to prevent the occurrence of data breaches.
Breach Notification: In the event of a data breach, the data fiduciary is obligated to notify both the Data Protection Board of India and the individuals affected by the breach.
Data Erasure: Personal data should be deleted as soon as its intended purpose has been achieved and there is no further legal necessity for its retention. This concept is referred to as "storage limitation.
For government entities, the principles of storage limitation and the right of the data principal to request erasure will not be applicable
Section 9: Protection of Children's Personal Data:
(1) Prior to processing personal data belonging to a child or a person with a disability under the guardianship of a lawful guardian, the Data Fiduciary is obligated to obtain verifiable consent from the child's parent or the lawful guardian, as prescribed. It's important to note that the term "consent of the parent" includes the consent of the lawful guardian, where applicable.
(2) A Data Fiduciary is prohibited from engaging in any processing of personal data that could potentially have a negative impact on the well-being of a child.
(3) The Data Fiduciary is restricted from performing tracking, behavioral monitoring of children, or engaging in targeted advertising aimed at children.
(4) The stipulations in sub-sections (1) and (3) do not extend to the processing of personal data belonging to a child by certain categories of Data Fiduciaries or for particular purposes, subject to conditions and prescriptions as determined.
Sec 16, Transfer of personal data outside India: The Bill allows transfer of personal data outside India, except to countries restricted by the central government through notification.
What are the penalties under Digital Personal Data Protection Bill 2023 ?
Sec 33, deals with penalties and adjudication:
Breach in observing the obligation of Data Fiduciary to take reasonable security safeguards to prevent personal data breach under sub-section (5) of section 8. May extend to 250 crore rupees.
Breach in observing the obligation to give the Board or affected Data Principal notice of a personal data breach under sub-section (6) of section 8. May extend to 200 crore rupees.
Breach in observance of additional obligations in relation to children under section 9, May extend to 200 crore rupees