Background
The Journey towards the Data Protection Legislation can be traced back to 2017 when an expert Committee was Constituted by the Ministry of Electronics and Information Technology (Meity). A major development came in December 2021, when the draft of the Data Protection Bill, 2021(DPB, 2021) was released.
Finally, on 3rd August 2023, The Lok Sabha introduced the Digital Personal Data Protection Bill, 2023 on 3rd August 2023 to provide for the processing of digital personal data which not only recognizes the right of individuals in protecting their personal data but the need to process such personal data for any lawful purposes. The President of India gave her assent on Digital Personal Data Protection Act 2023 on 11th August 2023.
Digital Personal Data Protection Bill, 2023 is important?
Data holds utmost importance in present world scenarios but so the protection of data is relevant too. The way, the society is sharing data on various applications and social media platforms, the protection of data is a grave concern. If you install one application on its mobile, it asks for access to all our information and we give consent to terms and conditions without having a glance over it.
The primary purpose of the Act is to regulate the processing of digital personal data and respect individuals’ right to protect their data while recognizing the necessity of processing and using such data for lawful purposes. Data Breaches are becoming a regular occurrence.
Some of the major instances of privacy breaches occurred when the personal data of users given to the CoWIN portal were hacked and the personal data of vaccinated users were made public on Instagram. In order to avoid these types of consequences the Digital Data Protection Bill has been introduced.
Key Definitions in Digital Personal Data Protection Bill, 2023:
“Board” means the Data Protection Board of India established by the Central Government under section 18;
“Data Principal” means the individual to whom the personal data relates and where such individual is—
(i) a child, includes the parents or lawful guardian of such a child;
(ii) a person with disability, includes her lawful guardian, acting on her behalf
“Data” means a representation of information, facts, concepts, opinions or instructions in a manner suitable for communication, interpretation or processing by human beings or by automated means;
“Data Fiduciary” means any person who alone or in conjunction with other persons determines the purpose and means of processing of personal data;
“Personal data breach” means any unauthorized processing of personal data or accidental disclosure, acquisition, sharing, use, alteration, destruction, or loss of access to personal data, that compromises the confidentiality, integrity or availability of personal data;
Applicability of the Act
The Act applies to
- the processing of digital personal data within India’s territory,
i. whether collected in digital or
ii. non-digital form and digitized subsequently.
- the processing of digital personal data outside India, if such processing is related to offering goods or services to Data Principals within India.
The Act is not applicable to
- personal data processed by an individual for any personal or domestic purpose
- personal data which is made publicly available by Data Principal
The obligation of data fiduciary
A data fiduciary plays a vital role in the processing of personal data and the onus of protection of those data lies with him. In simple terms, data fiduciary may be your telephone operator, Myntra, Amazon, Matrimony website, or any other person or organization with whom you have shared your personal data.
A data fiduciary may process the personal data of an individual in accordance with the provisions of the Act and for a lawful purpose for which the consent is given or for certain legitimate use.
While asking for consent from a data principal, a data fiduciary shall also give notice beforehand or at the moment informing the purpose of data processing, rights of data principal and manner in which the data principal may make a complaint to the Board.
Under Section 8(5) of the Act, A data Fiduciary is a duty bound to protect personal data in its possession or under its control, including in respect of any processing undertaken by it or on its behalf by a Data Processor, by taking reasonable security safeguards to prevent a personal data breach.
Section 8(6) of the Act states that in the event of a personal data breach, the Data Fiduciary shall give the Board and each affected Data Principal, intimation of such breach in such form and manner as may be prescribed
Penalty
- The breach in observing the obligation of Data Fiduciary to take reasonable security safeguards to prevent personal data breach under sub-section (5) of section 8- 250 crore rupees
- The breach in observing the obligation to give the Board or affected Data Principal notice of a personal data breach under sub-section (6) of section 8 –200 crore rupees
Once the consent is given, the data principal is free to withdraw the same at any point in time.
Rights And Duties Of Data Principal
Rights
- Right to access information about personal data
- Right to correct, complete, update and erasure of the personal data provided
- Right to nominate any other individual, who shall, in the event of death or incapacity of the Data Principal, exercise the rights of the Data
- Right to have readily available means of grievance redressal provided by a Data Fiduciary or Consent Manager
Duties
- comply with the provisions of all applicable laws for the time being in force while exercising rights under the provisions of this Act
- to ensure not to register a false or frivolous grievance or complaint
- to ensure not to suppress any material information while providing personal data for any document
- to ensure not to impersonate another person while providing personal data for a specified purpose
Data Protection Board
- The Data Protection Board of India is established by the Central Government.
- The Board is a body corporate with perpetual succession, a common seal, and powers to acquire, hold, dispose of property, contract, sue, and be sued.
- The headquarters of the Board is determined by the Central Government.
Key functions of the Board include
- Monitoring compliances and imposing penalties
- Directing data fiduciaries to take necessary measures in the event of data breach
- Hearing grievances made by affected persons
Authority of Data Protection Board
- Inspect documents of Companies handling personal data
- Summon and examine individuals under oath
- Recommend blocking access to intermediaries that repeatedly breach the provisions of the bill
Tenure of the Board
- The Chairperson and other Members shall hold office for a term of two years and shall be eligible for re-appointment
- Appeal against the decisions of the Board will lie with TDSAT (Telecommunications Dispute Settlement and Appellate Tribunal)
The major criticism of the Bill
- It is supposed to be the key enforcer of the law
- The Centre’s power to appoint members of the Data Protection Board could influence the board
Exemptions to Central agencies
- Provisions allow Central Government to pass norms seeking Citizen’s consent
- Exemption to “to any instrumentality of the State” from adverse consequences
any instrumentality of the State means
- security of the State
- friendly relations with foreign States
- maintenance of public order