How does the new draft data protection bill affect you?
Summary
The bill, which seeks to govern and safeguard the use of personal data, sets out the rights and duties of users.The government released the draft Digital Personal Data Protection Bill, 2022, for public consultation last week. The Bill, which seeks to govern and safeguard the use of personal data, sets out the rights and duties of users, and the obligations on businesses. Mint explains:
What is new in the 2022 Bill?
The Bill governs “digital personal data"– which means information that can identify a person and is either collected online or is digitized. Non-personal data and non-digital data are excluded. The Bill removes the categorization of sensitive and critical personal data. Provisions on algorithmic account-ability, data portability and hardware/software certification have been dropped. There are no data localization requirements, while limits on cross-border data transfers have been proposed. It introduces the concept of ‘deemed consent’, which includes a list of situations where consent may be assumed and need not be explicit.
You might also like
5 charts tell the story of tech layoffs
This could be India's biggest Series A funding round
This Mumbai couple’s 860 sq ft flat is the biggest they’ve rented so far
How does the Bill impact businesses?
Businesses can collect data for lawful purposes to which individuals have consented. Businesses must notify users when asking for their consent – describing what data will be collected and why. Businesses are also allowed to process data for employment, medical emergency, fraud prevention and a few other reasons, without explicit user consent. Businesses must delete data when it no longer serves the purpose for which it was collected. The central government may designate some businesses to be ‘significant data fiduciaries’, who face higher obligations including periodic audits.
What happens if a business violates the data law?
Businesses face penalties for violations, and failures to keep information safe. If organizations do not do enough to prevent breaches, they may be fined up to ₹250 crore. The data protection board will probe and penalize non-compliance. Those under investigation can provide voluntary undertakings to the board; if accepted, this will shield them from punishment.
What rights do users have?
Users have rights against organizations that collect their personal information. Users can seek information about their personal data, to correct and erase their personal information, and file grievances. It also bestows duties on users, including a bar on registering false or frivolous complaints and giving incorrect information, among others. Unlike earlier drafts, the 2022 bill does not provide right to data portability, i.e., a user’s ability to move personal data from one organization to another.
Is there scope to improve the Bill?
References to data localization have been taken out, but data can be transferred abroad only to countries whitelisted by the government. The basis for making this decision is unclear—it is left to the government. It may also wield control over the composition and functioning of the data protection board—which is meant to be an independent body. Government agencies enjoy broad exemptions, but safeguards for their application have been removed.
Contributed by Vijayant Singh, a senior associate, and Rutuja Pol, lead-government affairs at Ikigai Law.
Elsewhere in Mint
In Opinion, Raghuram G. Rajan says deglobalisation poses a climate threat. Vivek Kaul tells the reason why Twitter can't die. Madan Sabnavis calls for caution over India's title of the fastest-growing economy. Long Story says the slowed-down motorcycle is an eloquent sign of India's downturn.