Getting your Trinity Audio player ready...
|
Having received the green light from the Rajya Sabha, the Digital Personal Data Protection Bill of 2023 paves the way for a robust framework governing the handling of digital personal data, prioritising the protection of individuals’ privacy rights while also acknowledging the necessity of utilising such data for legitimate purposes.
This legislation encompasses a wide scope, applying not only to digital personal data collected within India, regardless of whether it was acquired online or through offline means that have been digitised but also extending its reach to personal data processed beyond India’s borders, provided it pertains to the provision of goods or services within the country. The definition of personal data includes any information that can be attributed to a specific individual, while processing, encompassing activities like collection, storage, usage, and sharing, is delineated as a set of automated or partially automated operations carried out on digital personal data.
The legislation safeguards digital personal data by outlining the obligations of data fiduciaries, specifying the rights and duties of Data Principals, and financial penalties for violations of these rights, duties, and obligations. Additionally, the bill aims to introduce a data protection law with minimal disruptions, facilitating the necessary transformation in how data fiduciaries process data. This approach seeks to improve ease of living, and ease of doing business, bolster India’s digital economy, and foster its innovation ecosystem.
The bill is formulated on the foundation of seven key principles. It believes in the principle of consent, lawful and transparent use of personal data; the principle of purpose limitation; the principle of data minimisation; the principle of data accuracy; the principle of storage limitation, the principle of reasonable security safeguard, and the principle of accountability.
The legislation also incorporates several innovative features. It is concise and follows a SARAL approach, which stands for Simple, Accessible, Rational, and Actionable Law. It employs straightforward language, includes illustrative elements to enhance clarity, contains no provisos, and has minimal cross-referencing.
The bill uses the word “she” instead of “he”, signifying the recognition of women’s involvement in parliamentary law-making. It grants individuals the right to access information about processed personal data, the right to rectify and remove data, the right to grievance redressal, and the right to nominate a person to exercise rights in case of death or incapacity.
To assert their rights, an affected Data Principal may initially approach the data fiduciary. In case they are not satisfied, they have the option to file a complaint against the data fiduciary with the Data Protection Board in a straightforward process. Data fiduciaries must maintain the accuracy of data, ensure data security, and delete data once its purpose has been met.
The bill also safeguards the personal data of children. It does not permit processing, which is detrimental to the well-being of children or involves tracking, behavioural monitoring, or targeted advertising.
In the interest of specified grounds such as state security, public order, and prevention of offences, the central government retains the authority to exclude government agencies from adhering to the provisions of the Bill. The Data Protection Board of India will adjudicate non-compliance with the provisions of the Bill. Responsibilities of the Board also include monitoring compliance and imposing penalties, directing data fiduciaries to take necessary measures in the event of a data breach, and hearing grievances made by affected persons.