Digital Personal Data Protection (DPDP) Bill
Objectives:
To enforce individual privacy in online space.
The Bill seeks to establish a comprehensive legal framework governing digital personal data protection in India.
It aims to provide for processing of digital personal data in a manner that recognizes both the right of individuals to protect their personal data and the need to process it for lawful purposes.
DPDP Bill, 2022 is based on seven principles
1. Lawful use:
Usage of personal data by organisations must be done in a manner that is lawful, fair to the individuals concerned and transparent to individuals.
2. Purposeful dissemination:
Personal data must only be used for the purposes for which it was collected.
3. Data minimisation:
Bare minimum and only necessary data should be collected to fulfill a purpose.
4. Data accuracy:
No duplication
5. Duration of storage:
Storage should be limited to a fixed duration.
6. Authorized collection and processing:
Reasonable safeguards
7. Accountability of users:
The person who decides the purpose and means of the processing of personal data should be accountable for such processing.
Key features of the DPDP Bill
The Bill will apply to the processing of digital personal data in India, whether it is collected online or offline and then digitized.
It will also apply to the processing of digital personal data outside of India if it involves offering goods or services or profiling individuals in India.
The bill uses the term “Data Principal” to denote the individual whose data is being collected.
The term “Data Fiduciary” the entity (can be an individual, company, firm, state etc.), which decides the “purpose and means of the processing of an individual’s personal data.”
Personal data may be processed only for a lawful purpose for which an individual has given consent. Consent may be deemed in certain cases.
Every individual should know what items of personal data a Data Fiduciary wants to collect and the purpose of such collection and further processing.
Individuals also have the right to withdraw consent from a Data Fiduciary.
The Bill essentially allows laypersons to complain to a Data Protection Board, consisting of technical experts, constituted by the government, if they have reason to believe that their personal data has been used without their consent (for example, mobile phone numbers or Aadhaar details).
The bill also talks of Significant Data Fiduciaries, who deal with a high volume of personal data.
(Data that are risk of harm to the potential impact on the sovereignty and integrity of India).
Right to demand the erasure and correction of data collected by the data fiduciary.
Right to nominate an individual who will exercise these rights in the event of death or incapacity of the data principal.
Data Protection Board of India could fine firms which do not protect user data with fines for individual offences ranging from ₹10,000 to ₹500 crore, which may apply in case of data breaches.
Courts and law enforcement agencies enjoy wide exemptions from key requirements, as the Bill’s requirements do not apply when
Personal data is processed in the interest of prevention, detection, investigation or prosecution of any offence or contravention of any law or
The processing of personal data by any court or tribunal or any other body in India is necessary for the performance of any judicial or quasi-judicial function.
Concerns
Concerns on an amendment to the RTI Act, 2005 in the DPDP Bill that would prohibit government departments from sharing personal information.
Lack of deadline for deleting personal data (in case of withdrawal of consent).
Lack of timeline for Board to adjudicate on a complaint.
No deadline for data fiduciary to erase personal data once the intended purpose is served, etc.
Individuals have no right to data portability.
COMMENTS