Understanding the Digital Personal Data Protection Bill, 2022’s application and features is crucial since it establishes a new framework for personal data protection. The Indian government views the recently announced law as a component of a bigger plan for a digital economy that includes a comprehensive “Digital India Act” that would eventually replace the outdated Information Technology Act, 2000. Therefore, it is essential to examine its provisions, consequences, and deficiencies in light of the possibility that they will have an impact on how we live our daily lives.
Key features of DPDP Bill
Definitions that are crucial under the proposed law
Let’s first examine several key definitions that form the cornerstone of the proposed data protection law in order to fully appreciate the subtleties of the DPDP Bill.
Personal data is any information that may be used to directly or indirectly identify a specific person.
Fiduciary of Data It designates a person who chooses, alone or in collaboration with others, the objectives and procedures for processing personal data.
The person to whom the personal data belongs is represented by the data principal. Parents and the child’s legal guardians are considered in cases involving children.
A person who handles personal data on behalf of a data fiduciary is shown as a “data processor” in this image.
Significant Data Fiduciary: It is a Data Fiduciary that has been notified by the Central Government after taking into account many considerations, including the amount of personal data processed, the risk to electoral democracy, state security, and public order, among others.
The term “Data Protection Officer” refers to a person chosen by a Significant Data Fiduciary who will answer to its Board of Directors and serve as a point of contact for resolving any potential complaints.
Application and Coverage
The DPDP Bill applies to all digitally processed personal data, including that which is obtained offline and afterwards converted to digital form. The proposed law further broadens its scope to include processing digital personal data outside of Indian territory, provided that this processing relates to creating a profile of a Data Principal in India or contacting that person about receiving goods or services. Thus, if the aforementioned requirement is met, the DPDP Bill would likewise apply to overseas organisations.
Justification for handling personal data
According to the proposed law, data fiduciaries are permitted to process personal data for any lawful reason (i.e., a reason that is not expressly prohibited by law) as long as the data principal has given consent or is presumed to have given consent.
Fiduciaries of data have obligations.
In order to guarantee the security of personal data, the DPDP Bill places certain requirements on data fiduciaries. The justification is that the Data Fiduciary will be in charge of ensuring that the DPDP Bill is followed regardless of any agreements to the contrary or actions taken by the Data Principal.
Rights and Duties of Data Principals
The following list of data principal rights to their personal data is provided under the DPDP Bill:
Data principals have the right to ask for confirmation that their personal information is being processed, a list of the data being processed, and the names of the data fiduciaries who have access to that personal information.
Right to rectification and erasure: Data subjects have the right to request rectification of any inaccurate personal data as well as the erasure of any personal data that is no longer required for the processing for which it was originally collected.
Data Principals have the right to file complaints with data fiduciaries for remedy. The Data Principals have the option to file a complaint with the Data Protection Board of India in the event of a response that is inadequate or nonexistent after seven days.
Right to nominate: In the event of their demise or incapacity, Data Principals may nominate any person to exercise the aforementioned rights.
In order to prevent the abuse of their rights, the DPDP Bill also imposes specific duties on Data Principals. These obligations include not hiding relevant information, providing incorrect information, or impersonating someone else when supplying personal data to data fiduciaries. Additionally, they are forbidden from submitting fictitious and pointless complaints to the Indian Data Protection Board.
Developing a strong data protection culture across the nation is urgently needed. Making sure that a piece of law is founded on strong ideas that can be upheld by clever regulation is essential to ensuring that it lasts long enough to be effective. The DPDP Bill was created with a number of guiding concepts in mind, including the accuracy of personal data, data minimization, and legitimate and fair data processing, among others. The government thinks that the Bill, in its current form, offers plenty of room for adaptability as digital ecosystems change.
While the start-up community and businesses have expressed hope about the clear wording and suggested understandable terms, critics have expressed concerns about issues including the absence of sufficient deadlines, the expansive concept of public interest, excessive delegation, and exemptions. It is significant that the Bill is still in its infancy and that its full effectiveness and impact won’t be known for some time.