The Indian Parliament gave the nod to the Digital Personal Data Protection Bill, marking the beginning of what is to become the nation’s first law governing the protection of personal data, The Bill, which was already passed by the Lok Sabha on Aug. 7, was approved by the Rajya Sabha on Aug. 9. The Bill will become law after it receives the consent of the President of India.
The DPDP Bill seeks to provide protection of digital personal data, establish standards for how businesses should process data digitally, confirm rights of individuals, set out a complaint resolution mechanism and establish a Data Protection Board of India that will oversee the implementation of the law in the country.
Indian government authorities has said that the rollout has already begun, and the government is likely to implement it over the next 6-10 months, after consulting with fiduciaries.
The Need For Digital Personal Data Protection Bill Data is the bloodstream of today’s organisations. In a widening digital landscape, personal data is continuously being collected by businesses. Whether it is accessing content, shopping online, submitting health records or banking/insurance details, individuals need to furnish various data during their online journey.
This data is later processed and apart from being used for specific purposes, it helps understand user preference, which then enables hyper-personalisation, targeted advertisements, and customised user experiences. However, unchecked data harvesting and processing can harm people’s privacy, which is considered a fundamental right of citizens. Data can be stolen, misused, or lost, in user profiling, loss of reputation and financial damages—for individuals and businesses alike.
Disruptive technologies such as generative artificial intelligence despite their obvious benefits also come with a caveat pertaining to data privacy. According to a recent survey by Gartner, generative AI tools may possibly share user information with third parties, such as vendors or service providers, without prior notice, which has the potential to violate data privacy.
How The Bill Aims to Protect Personal Data
According to the Ministry of Electronics and Information Technology, the Bill provides for the processing of digital personal data in a manner that recognises both the rights of the individuals to protect their personal data and the need to process such personal data for lawful purposes and for matters connected therewith or incidental thereto.
The Bill is applicable to processing of personal data within India if the data is collected online or collected offline and digitised. It shall also apply to data processing outside India if the same is used for offering goods or services in the country.
The DPDP Bill lays down various responsibilities and liabilities of data fiduciaries, entities that handle and process personal data, in accordance with the rights of individuals. Some of its key highlights include:
- Data fiduciaries may process personal data only if an individual has given consent, and for legitimate purposes only.
- Individuals from whom data is sought must be given a notice by the organisation at the time of consent, explaining the purpose of data processing along with information about data rights and complaint procedures.
- If an individual chooses to withdraw consent, the organisation must cease to process the personal data within a reasonable time frame.
- Data fiduciaries must protect personal data in their own possession or under the control of a data processor by taking security safeguards to prevent personal data breach.
- In the event of a breach, the data fiduciary must intimate the Data Protection Board and affected parties, including individuals.
- Organisations must establish an effective mechanism to redress the grievances of individuals, including appointing a data protection officer and sharing their contact details with users.
- The government can identify organisations as significant data fiduciaries based on sensitivity of data that they handle and risk of data breach to individuals and to the security of the state.
- The Bill empowers the government to control personal data transfer to other countries or territories beyond India.
- The Bill also entitles the Data Protection Board to inspect documents of data fiduciaries and propose blocking data access to entities that breach its provisions.
- Penalties for numerous offences are outlined in the Bill, including up to
- (i) Rs 200 crore for failing to fulfil the provisions laid down related to children and
- (ii) Rs 250 crore for failing to take security precautions to avoid data breaches.
The passing of the DPDP Bill has made critical the need for businesses to align their operations with its provisions to ensure compliance and avoid legal action or penalties.
Businesses must now look at improving the existing infrastructure to support data privacy for various stakeholders, including customers, vendors, and employees, in accordance with the guidelines established for data processing, notice, consent requirements, and other provisions.
They also need to show readiness to set up compliance frameworks and bodies since new laws and regulations are expected to be rolled out soon