The Digital Personal Data Protection Bill, 2022, aims to regulate the processing of digital personal data while recognizing individuals' right to protect their data and the lawful purposes of data processing. Let's break down the DPDPB 2022 into its major sections and provisions, along with practical implications and examples:
Application : It applies to the processing of digital personal data within India, whether collected online from Data Principals or digitized offline. It also covers data processing outside India when connected to profiling or offering goods/services to Data Principals within India. The Act excludes non-automated processing, offline, personal data, personal data processed for personal/domestic purposes, and data over 100 years old.
Practical Implications and Examples:
Digital companies operating in India must comply with the Act's provisions to process personal data lawfully, ensuring individuals' data protection rights.
An e-commerce platform that collects customer data online must follow the Act's guidelines for data processing, including obtaining explicit consent from customers before using their data for marketing purposes.
International companies offering goods/services to Indian residents must adhere to the Act's rules when profiling users' behavior for targeted advertising, even if the processing occurs outside India.
Non-automated data processing, such as handwritten records, is exempt from the Act's scope, allowing traditional manual record-keeping unaffected by the regulations.
Data older than 100 years is not subject to the Act's requirements, preserving historical records' integrity and accessibility for research and archival purposes.
Obligations of Data Fiduciary: Grounds for processing digital personal data
Grounds for lawful processing of digital personal data. Data Fiduciaries can process data only when they have obtained the Data Principal's consent, and the purpose of processing aligns with the consent given. The provision restricts processing to lawful purposes not expressly forbidden by law.
Example Scenario: A social media platform 'X' can process the personal data (e.g., name, email) of its users for social networking purposes after obtaining their explicit consent for the same.
Notice: Data Fiduciaries are obligated to provide a clear and itemized notice to Data Principals before seeking their consent. The notice should specify the data to be collected and the purpose of processing. The notice can be part of the same document used for data collection or a separate document.
Example Scenario: Before a user 'A' signs up for a banking service, the bank ('B') must provide 'A' an itemized notice detailing the personal data (e.g., name, address, proof of identity) required for account creation and the purpose of processing (e.g., account management, transaction tracking).
Consent: Defines consent as freely given, specific, informed, and unambiguous agreement by the Data Principal for processing personal data. It emphasizes the importance of clear affirmative action to indicate consent. Invalid portions of consent that infringe on the Act are deemed null.
Example Scenario: A mobile app ('X') must obtain explicit consent from its users ('A') to access their location data for providing location-based services. 'A' can indicate consent by tapping an "Allow" button in the app's notification.
Deemed consent: Under specific circumstances, a Data Principal is deemed to have given consent for processing. For instance, when voluntarily providing personal data or for medical emergencies, consent is assumed.
Example Scenario: A website ('X') providing COVID-19 updates asks users to share their travel history and health symptoms voluntarily. Users who willingly provide this data are deemed to have given consent for processing it to analyze the pandemic's spread.
General obligations of Data Fiduciary: Data Fiduciaries have a range of obligations, including ensuring data accuracy, implementing security measures to prevent data breaches, and redressing Data Principals' grievances. They must also provide Data Principals with easy-to-use options for withdrawing consent and ceasing data retention.
Example Scenario: A mobile application ('X') must have a user-friendly interface for users ('A') to manage their consent preferences, withdraw consent, and submit grievances related to data processing.
Additional obligations in relation to the processing of personal data of children: Special provisions apply when processing children's data. Data Fiduciaries must obtain verifiable parental consent before processing a child's data. They are prohibited from conducting behavioral monitoring or targeted advertising directed at children.
Example Scenario: A gaming website ('X') catering to children must obtain parental consent before collecting any personal data from child users ('A'). It cannot use cookies to monitor children's online behavior for targeted advertisements.
Additional obligations of Significant Data Fiduciaries: The government can designate certain Data Fiduciaries as Significant Data Fiduciaries based on specific factors. Significant Data Fiduciaries have additional obligations, including appointing a Data Protection Officer, conducting Data Protection Impact Assessments, and undertaking periodic audits.
Example Scenario: A large e-commerce platform ('X') is designated as a Significant Data Fiduciary due to its extensive data processing operations. It appoints a Data Protection Officer to ensure compliance with the Act and conducts regular data impact assessments to identify and conduct regular audits and address data protection risks.
Rights and Duties of Data Principles
In DPDPB 22, not only are rights given to data subjects, but also certain duties are added when exercising these rights. Let's see what rights are granted!
Right to information about personal data: Data Principals have the right to access information about the processing of their personal data. They can request confirmation from Data Fiduciaries regarding the processing of their data, receive a summary of the data being processed, and know the categories of data shared with other Fiduciaries. This right empowers Data Principals to be aware of how their data is being used and shared, promoting transparency and accountability among Data Fiduciaries.
Example Scenario: A user ('A') can request a social media platform ('X') to provide a summary of all personal data collected and shared with third-party advertisers for targeted advertising purposes.
Right to correction and erasure of personal data: Data Principals can request Data Fiduciaries to correct inaccurate or incomplete personal data and erase data that is no longer necessary for processing, subject to applicable laws. This right gives Data Principals control over the accuracy and relevance of their data, reducing the risk of incorrect or outdated information being used for decision-making or shared with others.
Example Scenario: A customer ('A') can ask an e-commerce site ('X') to correct her shipping address in the account details and erase her payment information after completing a transaction.
Right of grievance redressal: Data Principals have the right to raise grievances with Data Fiduciaries and, if not satisfied with the response, lodge a complaint with the Data Protection Board. This right ensures that Data Principals have recourse if they feel their data rights have been violated or if they are dissatisfied with how their data is being processed.
Example Scenario: A user ('A') can file a grievance with a mobile app ('X') regarding unauthorized access to her personal data and demand an explanation for the security breach.
Right to nominate: Data Principals can nominate another individual to act on their behalf in case of their death or incapacity to exercise their data rights. This right ensures the continuity of data protection even in the event of the Data Principal's absence or incapacity.
Example Scenario: A user ('A') nominates her spouse ('B') to exercise her data rights in case of her incapacity to do so due to a medical condition.
Duties of Data Principal: Data Principals have responsibilities while exercising their rights, such as complying with applicable laws, providing authentic information, and not filing frivolous complaints. These duties promote responsible data handling by Data Principals and discourage misuse or abuse of data rights.
Example Scenario: A customer ('A') provides accurate and authentic information when requesting a correction of her personal data from an online banking portal ('X').
Transfer of personal data outside India
This provision allows the Central Government to notify countries or territories outside India to which a Data Fiduciary can transfer personal data, subject to specified terms and conditions. It aims to regulate the cross-border flow of personal data to ensure adequate data protection.
By regulating data transfers outside India, this provision helps protect Data Principals' personal data from being sent to jurisdictions with weaker data protection laws, thereby enhancing data privacy and security.
Example Scenario: An Indian company ('A') wishes to transfer personal data of its customers to a foreign cloud service provider ('B') for storage. Before doing so, 'A' must ensure that the foreign country or territory is on the list of those notified by the Central Government and comply with the specified conditions.
Exemptions: There are lists various exemptions where certain provisions of the Act do not apply. It covers scenarios such as processing personal data for enforcing legal rights, judicial functions, law enforcement purposes, and research purposes.
These exemptions strike a balance between privacy rights and other legitimate interests, allowing certain data processing activities to be carried out without unnecessary regulatory burden while ensuring that sensitive personal data remains protected.
Example Scenario 1: A government agency processes personal data without the application of certain provisions of the Act for national security purposes, as specified under the exemption.
Example Scenario 2: A research organization processes anonymous data for statistical purposes without triggering specific rights and duties of Data Principals, as permitted under the exemption.
Overall, these special provisions play a crucial role in ensuring that data protection laws are practical, adaptable, and appropriately address diverse scenarios while safeguarding the privacy and rights of Data Principals.
Compliance Framework
Data Protection Board of India: Central government will establish the Data Protection Board of India, which will be a central authority responsible for overseeing and implementing the provisions of the Data Protection Act. The Board is empowered to address complaints, determine non-compliance with the Act, and impose penalties. The Board operates digitally, and its members, officers, and employees are considered public servants, with immunity from legal proceedings for actions taken in good faith.
The Data Protection Board of India plays a critical role in enforcing data protection laws and ensuring compliance with the Act. Its digital functioning enables efficient handling of cases, and its status as a public authority promotes transparency and accountability.
Functions of the Board: The functions of the Data Protection Board, which include determining non-compliance with the Act, imposing penalties, and performing other functions as assigned by the Central Government. The Board can issue directions, conduct inquiries, and take urgent measures to address personal data breaches. By defining the functions of the Data Protection Board, it establishes a robust framework for enforcing data protection laws. The Board's authority to impose penalties for non-compliance serves as a deterrent against data breaches and privacy violations.
Process to be followed by the Board to ensure compliance with the provisions of the Act: The bill outlines the process followed by the Data Protection Board when addressing complaints and inquiries. The Board functions independently, conducts inquiries while adhering to principles of natural justice, and can issue interim orders and enforce its decisions. The outlined process ensures fair and impartial handling of complaints and inquiries. By granting the Board the power to summon individuals, examine evidence, and issue orders, the Act enhances the Board's ability to investigate and address data protection violations effectively.
Review and Appeal: The Bill allows for the review of Board orders, appeals to the High Court against Board decisions, and bars civil courts from interfering in matters under the Act. The provision for review and appeal offers an opportunity for affected parties to seek redressal and ensures that the Board's decisions are subject to judicial scrutiny. The exclusion of civil courts from interfering helps streamline the resolution process and prevents undue delays.
Alternate Dispute Resolution: The Bill empowers the Board to direct parties to resolve disputes through mediation or other dispute resolution processes. By promoting alternative dispute resolution methods, this provision helps parties find amicable solutions, reducing the burden on formal legal proceedings and promoting quicker resolution of data protection-related conflicts.
Voluntary Undertaking: The bill allows the Board to accept voluntary undertakings from individuals or organizations regarding compliance with the Act. The Board can modify the undertakings and take action if a party fails to comply. Voluntary undertakings provide a flexible mechanism for addressing non-compliance without resorting to penalties immediately. They encourage cooperation between the Board and data fiduciaries, promoting a culture of proactive data protection.
Financial Penalty: The Bill empowers the Board to impose financial penalties, not exceeding a rupees five hundred crore in each instance amount, on data fiduciaries found to be significantly non-compliant with the Act. The amount of the penalty is determined based on various factors.
The provision for financial penalties acts as a strong deterrent against data protection violations, encouraging data fiduciaries to adhere to the Act's provisions. The Act's guidelines for determining penalty amounts ensure fairness and proportionality in imposing penalties.
Commentaires