In today’s digital age, where information flows freely and personal data is a valuable currency, safeguarding your privacy and personal information has never been more critical. Recognizing this, the Union Government of India has introduced revised and comprehensive legislation known as the Digital Personal Data Protection Act, of 2023. In this article, we will delve into the key aspects of this bill, how it impacts individuals, and why it is significant.
The Evolution of Data Protection in India
Before we delve into the specifics of the Digital Personal Data Protection Bill 2022, it’s essential to understand the context of data protection in India and how it has evolved.
Justice K. S. Puttaswamy (Retd) vs. Union of India 2017
Back in August 2017, something big happened in the Supreme Court. Nine judges got together and made a really important decision. They said that people in India have a special right to privacy. This right is part of life and freedom according to Article 21 of the Indian Constitution. This decision was a big deal and set the stage for better laws to protect our data in India.
B.N. Srikrishna Committee 2017
Following the Puttaswamy judgment, the Indian government appointed a committee of experts for data protection under the chairmanship of Justice B.N. Srikrishna in August 2017. This committee worked diligently and submitted its report in July 2018, along with a draft Data Protection Bill. The report contained a wide range of recommendations aimed at strengthening privacy laws in India. These recommendations encompassed restrictions on data processing and collection, the establishment of a Data Protection Authority, the right to be forgotten, data localization, and more.
Information Technology Rules 2021
To make sure data is better protected, the Indian government brought in the Information Technology (Intermediary Guidelines and Digital Media Ethics Code) Rules 2021. These rules make social media platforms more careful about the stuff people post on them. This was done to deal with problems like wrong information, made-up news, and also careful managing of user data.
Introducing the Digital Personal Data Protection Bill 2022
Now, let’s dive into the Digital Personal Data Protection Act 2023.
Back in 2017, the Ministry of Electronics and Information Technology (MeiTY) formed a group of experts to figure out how to protect our data. They talked about it and did some research.
Then, in December 2021, they introduced something called the Data Protection Bill, 2021 (DPB, 2021). It was a big deal! But guess what? In August 2022, the Minister for Communications and Information Technology took it back from Parliament.
But they didn’t give up! On November 18, 2022, they shared a new plan called the Digital Personal Data Protection Bill, 2022 (DPDPB, 2022) for everyone to see and comment on. In August 2023, Parliament approved this bill.
This legislation represents a significant step forward in protecting the privacy and personal data of individuals in India. This Data Protection Law is all about the processing of digital personal data
Seven Principles of the 2022 Bill
The Digital Personal Data Protection Bill of 2022 is based on seven main rules. These rules aim to ensure that your personal information is safe. These seven principles are important. Hence, there is a separate article on the topic.
Read More: 7 Principles of Data Privacy in DPDPB 2023
Key Features of the Digital Personal Data Protection Bill
Data Principal and Data Fiduciary
- Data Principal: This term simply means the person from whom they collect data. For kids who are under 18 years old, their parents or legal guardians are the ones in charge of their data.
- Data Fiduciary: A Data Fiduciary is like a guardian for your personal information. It could be a person, a company, a state, or even a group. They decide how and why they want to use your personal data. In simple terms, they’re the ones responsible for keeping your data safe and using it in the right way.
Read More: Data Fiduciary
Rights of Individuals
- Access to Information: Individuals have the right to access basic information in languages specified in the eighth schedule of the Indian Constitution.
- Right to Consent: Individuals must give their consent before their data is processed. They should know what personal data a Data Fiduciary wants to collect and also the purpose of such collection.
- Right to Erase: Data Principals can demand the erasure and correction of data collected by the Data Fiduciary.
- Right to Nominate: Data Principals have the right to nominate an individual who will exercise these rights in the event of their death or incapacity.
Data Protection Board
The bill proposes the establishment of a Data Protection Board to ensure compliance. In cases of unsatisfactory responses from Data Fiduciaries, consumers can also file complaints with the Data Protection Board.
Read More: Data Protection Board
Cross-border Data Transfer
The bill lets data move across borders to “specific countries and areas” if they follow data safety rules. The Indian Government can get data on Indian citizens from these places. It’s like a rulebook that says we have to respect your right to keep your personal data safe. But, at the same time, we are processing the personal data for legal purposes.
Financial Penalties
For Data Fiduciaries, the bill proposes significant penalties for data breaches or failure to notify users about breaches. Penalties can range from Rs. 50 crores to Rs. 500 crores. Unlike General Data Protection Regulation (GDPR) these penalties are based on the offense and not the turnover of the organization. However, Data Principals submitting false documents or filing frivolous complaints will face fines of up to Rs. 10,000.
Exemptions
Not all businesses have to follow all the rules in the bill. If they don’t have many users or don’t deal with lots of personal data, they might not need to follow certain rules.
The Bill also says that the government can let certain government organizations (“Instrumentality of the State”) avoid following the Bill’s rules. This means they can use and work with personal data without telling people or being accountable. This is to help startups that thought the older 2019 version of the bill had too many rules to follow.
The bill also keeps exceptions for cases where national security and maintenance of public order are important.
Significance of the Digital Personal Data Protection Bill
The Digital Personal Data Protection Bill, of 2022, carries immense significance for several reasons:
- Facilitating Cross-border Data Flows: Unlike the old version, this bill gives some leeway to data moving between countries. It changes the rule that data must stay within the country, so now data can go to specific places around the world. This change could help countries trade with each other and make it easier for data to move around.
- Postmortem Privacy Recognition: The bill recognizes an individual’s right to postmortem privacy, allowing the withdrawal of consent even after the individual’s passing. This recognition aligns with recommendations from the Joint Parliamentary Committee.
The Digital Personal Data Protection Act of 2023 is a big step in keeping your personal information safe online. As technology improves and your information becomes more important, this law makes sure your data is protected. It handles your data responsibly and follows your rights. This law is like a guardian, protecting your privacy and security as we use digital technology.