The Digital Personal Data Protection Bill, 2023 | #Must Know

The article 'The Digital Personal Data Protection Bill, 2023' analyses the importance of the bill in order to handle electronic individual information within India, whether it's gathered through online means or offline sources that are later converted into digital format. Furthermore, it will also be applicable to such data processing activities carried out outside of India, if they involve providing products or services within India.

President grants assent to Digital Personal Data Protection Bill 2023

On 11-08-2023, President Draupadi Murmu gave her approval for the new Digital Personal Data Protection Bill 2023 to become law. This was done after it was passed by both houses of government. The date set by the Central Government is when the Act will become law. It is the first law about data processing, and it changes other laws like the Information Technology Act and the Right to Know Act. The date it goes into effect will be set by a government decree.

The stated goal of the bill is to make sure that digital personal data can be processed in a way that respects both the right of people to protect their data and the need to process such personal data for legal reasons. When processed on Indian land, this law applies to personal information that has been gathered in digital or non-digital form and then turned into digital form. Also included is the release of personally identifiable information that is kept online to give goods or services "to Data Principals within the territory of India. "Data Principal" refers to the person about whom information is gathered and kept.

The Bill spells out what permissions are needed and what "legitimate uses" of personal information are:

"Personal data" is described by the proposed law as "any data about an individual who is identifiable by or in relation to such data."

The Bill gives the central government the power to exempt government organizations from its restrictions in order to protect national security, keep the peace, and stop crime. Based on what is written in the Bill, the Indian government is required to set up a Data Protection Board. The body will be in charge of managing fines and making sure rules are followed.

It will also advise data users about what to do in case of a data breach and deal with complaints from people who have been affected by such incidents. A "Data Fiduciary" is a person or group of people who decide on their own or together how personal information will be used. For the obvious reason why the person gave her personal information to the Data Trustee.

Also, if you break the rules about children, you could be fined up to Rs 200 crore. If you break the rules about not having security steps to prevent data breaches, you could be fined up to Rs 250 crore. The Bill says that a warning about the reason for processing personal information must be given before or at the same time as the call for permission. People have certain rights, such as the right to access information, the right to correct or delete wrong information, and the right to seek relief for concerns, among others.

Salient Features

The Bill will manage what happens to personal information that is taken online or offline in India and then turned into a digital file. The law will apply if this work is done outside of India to sell or give services in India. Only with the person's clear permission can personal information be used for anything. Some valid reasons, like when a person gives information on their own or when the state processes information so that a person can get a pass, ticket, award, or service, may not need the person's permission.

The People who own the data will be responsible for making sure it is right, safe, and deleted when it has served its original purpose. People have certain rights under the Bill, such as the right to see information, the right to ask for information to be removed or changed, and the right to have complaints heard. The central government may take government groups out of certain parts of the Bill for reasons like protecting the security of the state, keeping the peace, and stopping crime. The Data Protection Board of India would be set up by the national government to decide what to do when people don't follow the rules in the Bill.

Personal Information is used Legitimately and on a moralized basis so that the government or one of its departments can keep India's sovereignty, geographical unity, or national security safe or meet a law requirement. To use information from "any database" kept by the government and made available by the Central Government to offer or give a payment, benefit, service, certificate, license, or permission that the person has already agreed to. Since the Registration of Birth and Funeral Bill was just passed, there needs to be a nationwide collection of birth and death documents. The government or its agents may also use personal information if it is needed to protect India's national security, sovereignty, or geographical identity.

Privacy Advocates are worried about how personal information could be used if terms like "interest of sovereignty, "integrity of India" and "security of state" are used. The Bill makes exceptions for data that has been handled for certain reasons so that it doesn't have to be deleted. The suggested change to the Right to Information Act would get rid of the part that lets people get "personal information" even if it isn't in the public's best interest to do so.

The Board for Data Protection

It deals with the creation of the Data Protection Board, a group whose job it is to look into data breaches and tell data owners what to do when personal information is lost or stolen. Fines of up to INR 250 crore (about EUR 27 million) could be given if the Board decides to do so.

Data Controllers have certain Duties

Data owners (sometimes called "data fiduciaries") are allowed to use personal data under the Act if they have the subject's permission or a reasonable business need to do so.

The conditions that must be met to get permission are similar to those in the GDPR.

1) For the purposes of providing services to data subjects or carrying out its duties in the interest of sovereignty and security; To comply with judgements or court orders under Indian law or to execute contractual and civil claims under laws outside India; To respond to a medical emergency involving a threat to the life or immediate threat to the health of the data subject or other people; To take steps to provide health services to any person during an emergency.

2) Data controllers will have a number of responsibilities, such as being honest about the data processing they do, putting in place the right security measures to prevent data leaks, and notifying the Data Protection Board and those harmed by a breach.

Indian Government may call some data owners "significant data fiduciaries," taking into account things like the amount and importance of personal data handled, the risk to the rights of the subjects, and the need to keep public order, security, and India's autonomy. It also gives people in charge of important data new duties, such as hiring a data protection officer and an independent data inspector, auditing data, and doing regular studies of how data protection works.

Privacy and other rights of data subjects of Individuals include:

1. Access to personal data processed on the basis of consent

2. Resolution of complaints by the controller and by the Data Protection Board

3. Designation of a third party to exercise the data subject's rights in the event of the data subject's death or incapacity

4. Revocation of consent to the processing of personal data in the event of the data subject's death or incapacity.

Cross Border Transfers

Personal information can be sent outside of India if the Act says so, but the Indian government can stop this from happening to certain countries or regions at any time. This news statement from the Ministry of Electronics and IT explains the most important parts of the Act.

Exemptions: The rights of the data owner and the tasks of the data user do not apply in certain situations that are not related to data security. First, there's stopping and finding illegal activity. Second, there's pursuing and protecting legal claims and rights. The federal government can keep certain actions from being covered by the Bill by sending out a warning. For example, (i) processing is needed for state and public order security by government agencies, and (ii) processing is needed for study, storage, or statistics.

Penalties under the Act

The Bill's schedule includes fines of up to (i) Rs 200 crore for not taking care of minors as one should and (ii) Rs 250 crore for not taking reasonable steps to keep data secure. After a review, the Board will decide on the right punishments.

Analysis and Key Issues in the Bill

Data Processing permits given by the state for reasons like national security may lead to unnecessary data being collected, processed, and stored. There is a chance that this goes against people's privacy and basic rights. It doesn't handle either the "right to be forgotten" or the "right to have your data moved."

The bill doesn't address the risks of damage from data processing, nor does it give the person whose data is being used the right to have their data moved or to be ignored.

The plan will let India send personal information to all countries except those specifically left out. This method might not be a foolproof way to determine whether the receiving country has good data protection laws or not.

Members of the Data Protection Board of India will be appointed for two-year terms that will change every two years. After that, they can be reappointed. If members were chosen for shorter terms and could be reappointed, this could make the Board less fair.

References

[1] Salient Features of the Bill, Available Here

[2] Draft of the Personal Data Protection Bill, 2023, Available Here

Important Links