The Digital Personal Data Protection Bill, 2023 was passed in the Lok Sabha on 7th August 2023. It lays down the obligations of entities collecting and processing data along with the rights of individuals whose data is being collected. The bill proposes a maximum penalty of Rs 250 crore and minimum of Rs 50 crore on entities violating the norms.
It is commonplace for people to grant consent for their personal data to be collected and stored through a multitude of applications and websites. Often this consent is given without much consideration because people tend to prioritize their convenience and have access to various online services. However, the personal data that they are allowing to be collected today, has the potential to eventually come back to haunt them tomorrow.
The Digital Personal Data Protection Bill of 2022 talks about how processing of personal data can be provided while keeping in mind the right of individuals to protect their personal data and use the data for lawful purposes.
The Digital Personal Data Protection Bill broadly has implications for the following individuals:
- Data Principal
- Data Fiduciary
Data Principal as defined in Section 2 (6) means “means the individual to whom the personal data relates and where such individual is a child includes the parents or lawful guardian of such a child. In simple words, a Data Principal refers to an individual whose data is being collected. The Bill grants certain rights to the Data Principals such as the right to obtain information, seek correction, and erasure of personal data.
Data Fiduciary as defined under Section 2 (5) means “any person who alone or in conjunction with other persons determines the purpose and means of processing of personal data.” The Data Fiduciary shall ensure that the personal data taken from any person with consent should be protected and also have a procedure and mechanism to redress the grievances of the person. Data Fiduciary should ensure that the data being collected and stored should be limited to a fixed duration. He should take reasonable security safeguards to prevent personal data breach.
The Bill makes it very clear that the data should be taken only after receiving consent from the person as per the provisions of this Act. Similarly, before the data of any Data Principal is collected, they should be informed about the purpose for which such data is going to be used.
This Bill emphasises the importance of consent for both, the Data Fiduciary and the Data Principal. Consent of the person whose data is being collected wherein the consent given should not be in infringement of this Act. Similarly, the Data Principal also has the right to withdraw his/her consent without difficulty. It is imperative that changes to apps and e-commerce platforms be implemented to ensure that their SOPs are in line with the law, when passed.
The Act also makes it clear that a Data Protection Officer akin to a Grievance Officer, should be mandated to resolve the grievances faced by any person under the provisions of this Act.
A recent article has highlighted that when a company opts to modify its terms and conditions, the previously obtained continuous consent collapses and a fresh consent is to be acquired from the Data Principal. Furthermore, a clause to this effect may be introduced in the upcoming Bill and the draft will be released for public input.
Digital Personal Data Protection Bill is an essential element to consider before any person decides to provide his/her data on any application or website. The Bill has retained some provisions from the past draft legislations but, certain fresh provisions are yet to be introduced. It will be interesting to see the new draft legislations enter into the final law of the land.
UPDATE: Digital Data Protection Bill has been passed by the Parliament of India and shall be implemented as law.
The content of this article is intended to provide general guidance on the subject matter. Specialist advice should be sought about your specific circumstances.