After multiple revisions over the years, the government has again come out with a new version of the data protection bill that deals with the regulation of how a citizen’s personal data is collected, maintained and processed.
The Digital Personal Data Protection Bill, 2022 proposes multiple modern provisions like the right of a user to know exactly what personal data of theirs is being collected, how it is managed and processed.
For entities which collect and manage user data (called data fiduciaries), the proposed law chalks out all the do’s and don’ts with respect to how they treat personal data. The draft legislation also seeks to create a new layer of digital governance through a data protection regulator.
We went through the proposed law and an explanatory note provided by the government so that you don’t have to. Here’s what the draft digital personal data protection bill means for consumers, tech platforms, businesses or any other body that collects and manages user data:
Right to information on personal data
Over the years, digital activists and experts have cautioned that personal data is not only processed by platforms and businesses to target ads at users, but may also be used to draw up extensive digital profiles of a person. Such data can also be sold or passed on to others without the user getting a whiff about the same.
To protect a user against such instances, the bill mandates that the data principal (a user) has the right to know exactly which data of theirs is being processed, or if it is being sold or passed on to another fiduciary who will process the data for other purposes.
Users can ask corrections, erasures
The nature of the digital age is such that wrong information gets published online about a user a lot of times. There may also be instances when the information pertaining to a user changes such as when you change residences, e-mail ids or a telephone number.
The draft data bill has you covered under such circumstances as you can ask a platform or any other entity to correct information regarding you. In a sense, the bill also incorporates the ‘right to be forgotten’ as the user can ask for their data to be erased.
Further, the bill says that a data fiduciary has to delete the data pertaining to a user when it no longer needs to hold that data.
For example, when a person closes their savings bank account, the bank has to delete his/her data pertaining to the account. Similarly, if a user deletes their social media account on a particular platform, their data has to be deleted as the bill mandates that a data fiduciary must retain personal data only so long as it is required for the purpose for which it was collected.
Children’s behaviour can’t be tracked
The bill states that a data fiduciary shall not undertake tracking or behavioural monitoring of children or targeted advertising directed at children. Before processing any personal data of a child, the fiduciary has to obtain verifiable parental consent. Moreover, non-fulfilment of these obligations relating to children can lead to penalties of up to Rs 200 crore.
Dealing with data breach events
In the past, we have seen that users are hardly ever notified in case of data breaches. Most of the time, it is a white hat expert who reveals a data breach even when sensitive personal data like bank accounts, credit card and Aadhaar details might have suffered from a hack.
In order to mitigate a user in such instances, the bill effectively mandates that a platform or any entity which suffers a data breach has to notify each user and also the data protection board.
Moreover, every data fiduciary and data processor has to protect personal data by taking reasonable security safeguards to prevent personal data breach. If they are found to have not taken appropriate safeguards, the data board may levy a penalty of up to Rs 250 crore.
When a personal data breach occurs, the bill says that the data regulator may direct the data fiduciary to adopt any urgent measures to remedy such personal data breach or mitigate any harm caused to users.
Users can seek grievance redressal
It is the responsibility of data fiduciary to ensure that a consumer is able to seek effective redressal of her grievances. To facilitate this, the bill says that every data fiduciary should publish contact details of the person to whom grievances and queries can be addressed.
The proposed legislation also gives a user the right to file a complaint with the data fiduciary and right to file grievance with the Data Protection Board in case of lack of response or unsatisfactory response from the fiduciary.
Right to nominate
Nomination is a basic practice and right available to individuals in several contexts such as financial services. For example, consumers are always asked for nominees to their bank accounts, insurance schemes, provident funds etc.
Taking a leaf out of this practice, the data protection bill has proposed the right to nominate any other individual who, in the event of death or incapacity of the data principal, can exercise the rights of principal provided in the proposed law.
Users have duties, too!
Interestingly, the draft bill also mentions a set of provisions named 'duties of data principal' that asks a user to provide authentic information while claiming the rights to erase or correct their data, not register a false or frivolous grievance or complaint with a data fiduciary or the board, and not provide any false information or impersonate another person.
There would also be penalties of up to Rs 10,000 for non-compliance to the 'duties'. However, the bill clearly states that the obligations of a data fiduciary remain intact whether or not a user abides by their duties.
Non-compliance will be costly
The data fiduciaries don’t have a choice but to comply with the law as they may have to pay penalties of up to Rs 500 crore for non-compliance.
The bill states a laundry list of penalties – up to Rs 250 crore for failing to take appropriate safeguards against data braces, another Rs 200 crore for not notifying of a breach or not complying with provisions related to children, Rs 10 crore for flouting data localisation norms, Rs 150 crore when a significant data fiduciary fails to carry on their additional obligations under the proposed law.
One more hire to make
Similar to the additional obligations placed on digital intermediaries with more than 5 million users in the Information Technology Act, 2021, the data protection bill states that a 'significant' data fiduciary, based on the volume of data processed, risk to users and elections etc, will need to fulfill certain additional obligations to enable greater scrutiny of its practices.
These significant data fiduciaries have to appoint a data protection officer who will represent it under the provisions of the law and be based in India. The officer will be an individual responsible to the Board of Directors or similar governing body of the significant data fiduciary.
Breather for businesses on data localisation
Although the issue of data localisation was thought to be an important part of the proposed regulation, the bill only says that the central government may notify countries or territories outside India to which a data fiduciary may transfer personal data, in accordance with terms and conditions that may be specified later.
Discover the latest Business News, Sensex, and Nifty updates. Obtain Personal Finance insights, tax queries, and expert opinions on Moneycontrol or download the Moneycontrol App to stay updated!
