If the Digital Personal Data Protection (DPDP) Bill 2023 is enacted into a law in its proposed form, soon websites and other online platforms will have to obtain consent of a parent for processing the data of minors, below the age of 18. They may also be barred from taking targeted advertisements directed at children.
This is one of the major facets of the the DPDP Bill 2023, which was introduced in the Lok Sabha on August 3 amid huge protests by the Opposition.
The legislation was first released for consultation in 2022, and based on inputs from these consultations, the government made several changes to it. The revised version, DPDP Bill 2023, was approved by the cabinet in July, and was tabled on August 3.
Here are the main features of the bill that you should keep an eye out for —
Processing children's data: The DPDP Bill 2023 says that before processing any personal data of a child or a person with disability who has a lawful guardian, it is required to "obtain verifiable consent of the parent of such child or the lawful guardian".
The legislation also says that a platform will not undertake tracking or behavioural monitoring or targeted advertising directed at children.
However, the bill has added the caveat that if the government finds that a platform is safely processing data of a child, then they can take up children's data processing without consent of their parents, or even take up targeted advertising.
The definition of children as those below the age of 18 was a pain point for Big Tech companies including Meta, Twitter, Apple and others who wanted the government to redefine children as those below 14.
Deemed consent/legitimate uses: In the 2022 draft of the bill, the government introduced the concept of "deemed consent", where, as the terminology suggests, the consent of a person for processing their data is deemed or assumed.
For instance, in case of an employment investigation, a company may have to process data of a person without his or her consent, or in case of a medical emergency, a person's data may have to be processed without their consent.
However, this provision received a lot of criticism from both civil society and industry alike, as they argued that it goes against the tenet of protecting user rights.
In the version of the bill that was tabled, the government has replaced the term "deemed consent" with "certain legitimate uses". The government lists out certain use cases where data can be processed without a person's consent.
However, experts say that this is more of a cosmetic change, as the term "deemed" has a negative connotation attached to it.
These are the use cases where a entity can process the data of a person without asking for consent:
The 2023 bill says that the chairperson and members of the board will be appointed by the central government. They will be appointed for two years and are also eligible for reappointment. The government also can appoint officers "as it may deem necessary for the efficient discharge of its functions".
The board can also direct for mitigation measures to be taken in case of a personal data breach, inquire into it and also impose a penalty. It has to give the person concerned an opportunity to be heard, and can issue directions, but the the person is bound to comply with the directions it gives.
It will also have the to effectively ask the central government to take down content. The bill that was introduced in the Lok Sabha recommends that the board can advise the government to block access to any information that is hosted on any “computer resource” that enables a data fiduciary to offer services to data principles.
However, the overarching powers of the Data Protection Board has been criticised, and its independence has also been questioned. Although the legislation says that the board will function as an independent body, the government controls the appointees, their functions and more, analysts pointed out.
Exemptions to and powers of government: Among the major criticisms levelled against the bill is the wide exemptions the government gives to it itself. The government can also require the board, any data fiduciary, or intermediary to provide data ‘as it may call for’.
The proposed law also states that its provisions will not apply in respect of the processing of personal data when notified by “instrumentality of the state as the central government may notify". Here, it notes that this could be in the case related to sovereignty and integrity of the country, its security , friendly relations with foreign states, maintenance of public order or preventing incitement to any cognisable offence relating to any of these.
A report prepared by the Parliamentary Standing Committee on IT and Communication was also of the view that there is “still a possibility of these exceptions being misused”, and also urged the ministry to devise a mechanism where the exemptions are only used in exceptional circumstances.
Cross border data transfer: The government will be notifying a list of countries where transfer of data will be restricted. "The central government may, by notification, restrict the transfer of personal data by a data fiduciary for processing to such country or territory outside India as may be so notified," the bill says.
This is in contrast to the 2022 bill, where the government had said that it will list countries where data transfer will be allowed.
Discover the latest Business News, Sensex, and Nifty updates. Obtain Personal Finance insights, tax queries, and expert opinions on Moneycontrol or download the Moneycontrol App to stay updated!
