Indian President Droupadi Murmu on Friday assented to the Digital Personal Data Protection Bill (DPDPB) after it was unanimously passed by both houses of Parliament last week, marking a major step towards securing people’s information.
“The Bill provides for the processing of digital personal data in a manner that recognizes both the right of individuals to protect their personal data and to process such personal data for lawful purposes and in connection with or related to it, Recognizes the need to process cases.” said the government.
The long-awaited data protection law comes months after the Ministry of Electronics and Information Technology (MeitY) released the draft version of the bill in November 2022. It has been in development for over five years, with the first draft released in July 2018. A year ago, the Supreme Court of India upheld privacy as a fundamental right.
The legislative framework, which applies to personal data collected online and offline (and subsequently digitized) both within and outside India, requires that the information be used “for a lawful purpose only with the individual’s consent,” for processing and storing only what is necessary for that purpose.
Requests for express consent from users must be accompanied or preceded by a notice proposing the purpose for which personal data will be processed. “Personal data” means “any data about an individual who can be identified through or in relation to such data.”
However, consent is not required for “certain legitimate uses” whereby platforms may process personal user data when it is voluntarily provided, for example, to send bills by email. By choosing It also waives compliance requirements for certain data fiduciaries, such as startups.
In addition, companies must obtain verifiable consent from their parents or guardians to process any personal data of children under the age of 18 or a person with a disability who has a legal guardian.
The government noted that “the bill does not allow processing that is harmful to the welfare of children or involves their tracking, behavioral monitoring, or targeted advertising.”
That said, consent can be waived after testing whether a covered entity demonstrates that the processing of children’s personal data is done in a manner that is “certified as secure” by the government considered.
Data controllers are obligated to maintain data accuracy, store data, and delete data once its purpose has been fulfilled. It also gives users the right to access, rectification and erasure of information and redressal of complaints.
Additionally, the DPDP Act provides for the establishment of a Data Protection Board (DPB) to investigate complaints by the government, investigate data breaches, and determine the severity, duration, and “repetitive nature” of incidents. Includes members appointed to levy fines on the basis.
IT Minister Rajeev Chandrasekhar said, “In case of a citizen’s data breach, all they need to do is visit the website, provide details to the Data Protection Board, and the board will report the breaching platforms and initiate an inquiry imposing penalties.”
Organizations that misuse or fail to protect individuals’ digital data or notify the DPB of a hack can face financial penalties of up to ₹250 crore ($30.1 million). Decisions of the Board may be appealed to the Telecom Dispute Settlement and Appellate Tribunal for review within 60 days.
In a departure from the first draft of the bill, companies handling personal data can now transfer it to another country for processing, unless the central government has expressly prohibited such transfer. Earlier, cross-border data transfer was allowed only in certain countries and regions.
An important point is that government agencies are exempted from enforcing the provisions of the Act “in the interest of the prevention, detection, investigation or prosecution of any offense or contravention of any law for the time being in force in India.”
Despite the DPB’s lack of autonomy, much of the attention has centered around concerns that the exemption could potentially result in more data collection, processing, and retention than deemed necessary, thus potentially Mass Surveillance and government-led attacks on privacy may increase.
Another equally troubling issue is the government’s ability to restrict access to “any information created, transmitted, received, stored or hosted in any computer resource” in the interest of the general public, leading to”unbridled censorship of dissenting opinions.”
“In its current form, the DPDPB, 2023 does not adequately protect the right to privacy and should not be enforced,” the Internet Freedom Foundation said in a statement. “It fails to address many data protection concerns and instead establishes a system to facilitate the data processing activities of state and private actors.”