Digital Personal Data Protection Bill: What does it Propose?
We all are aware that the Digital Personal Data Protection Bill 2022 proposal has been published by the Indian government. This Act explores how to oversee how digital personal data is processed. It explains to residents the significance of both the need to process personal data for fundamental purposes and the individual’s right to data security.
The entity must stop leveraging and checking personal data if it is reasonable to assume that the principal objective has been accomplished, per the Data Bill. Additionally, as quickly as possible, he or she should take away the means. Additionally, it stipulates that user data shouldn’t be kept around if it’s not required for legal or commercial reasons.
What Does Digital Personal Data Protection Bill States
It’s quite evident how, previously this year, during the Parliamentary Monsoon Session, the old Data Protection Bill was repealed. Its name has been changed to this because the government is now focusing solely on data security regulations.
The Digital Personal Data Protection Bill is planned to spell out the processes and guidelines for data collecting for businesses as well as the rights and obligations of “digital nagriks,” or citizens. The measure also includes seven penalties for violating any law’s rules. The Data Protection Board of India has been established to make these decisions. Orders of the board, however, can be contested in a High Court.
Digital Data Bill: Seven Principles
You should know that, as per the bill’s explanatory note, it is founded on seven major principles. The first is that “entities must use personal data in a way that is legitimate, fair to the individuals involved, and transparent to individuals.”
After this, the second principle specifies that only the goals for which personal data was gathered may be used. Similarly, the fourth principle emphasizes data accuracy when it comes to gathering, while the third principle discusses data minimization.
The fifth principle states that personal information cannot be “stored perpetually by default” and should only be kept for a specific amount of time.
According to the sixth principle, there should be enough protections to guarantee that “no unauthorized collection or use of personal data” occurs. Lastly, the Seventh principle talks about how “The person who determines the nature, scope, and means of the processing of personal data shall be liable for such processing.”
Concept of Data Principal & Fiduciary
Now you must be aware of the fact that these two terms are mentioned in the draft of the bill. Basically, the person whose data people will use for work purposes is referred to as the “Data Principal.”
Similarly, the entity that chooses the “purpose and means of the processing of an individual’s personal data” is referred to as a “Data Fiduciary.” Always keep in mind that this entity might be an individual, a company, a firm, a state, etc.
The law also states that parents or legal guardians will serve as children’s “Data Principals.” For example, if the Data principal is under the age of 18, his or her parents will be considered legal guardians. All data by or in connection with which an adult can be recognized will be considered personal data under the law. Furthermore, Processing is defined as the full set of activities that can be performed on personal data.
According to the bill, processing of data would therefore include everything from data collecting through data storage. The law also guarantees that people should have access to “basic information” in the languages included in the Indian Constitution’s eighth schedule.
Furthermore, the bill stipulates that consent must be obtained from the subject before their data is processed. It means that each individual should be aware of the specific personal data that a Data Fiduciary is collecting. Not only this, but the information regarding the purposes also be mentioned during the discussion.
All these can be in a written format with an understanding of language. Additionally, people have the option to revoke their consent from a data fiduciary.
Safe For Cross Border Data Transfers
Many people believe that this Act will establish a new, comprehensive data privacy regulation that will dictate how businesses must handle the data of their customers. It mostly entails allowing information to be transferred across borders with specific countries.
The proposal is considered a victory for IT firms because it allows data exchanges across borders with specific notified governments and territories. It is well known that placing limits on cross-border data flows will likely lead to increased rates of business failure, hurdles for start-ups, and more expensive product offers from established market participants.
The aforementioned requirements will ultimately have an impact on digital inclusiveness, Indian consumers’ access to a truly global internet, and the caliber of services.
The proposal also suggests that businesses only use the user data they have collected for the original reason they collected it. Additionally, it demands that businesses take responsibility for making sure that the user’s personal data is processed for the specific reason they collected it. Additionally, it demands that businesses only keep data for as long as is required to fulfil the stated purposes for which it was obtained, not for indefinite periods.
Overall, many Public policy experts have applauded the government’s decision to reduce the proposal from earlier iterations, which included over 90 provisions, to just 30. They do, however, believe that reducing its text might introduce some ambiguity. Also, take note of the fact that the proposed regulations would not affect some contentious laws in the nation that were drafted more than ten years ago. They are anticipated to be discussed in the parliament after public consultation.
Hope this post will help you understand the Digital Personal Data Protection Bill more comprehensively.