Salient Features Of India’s Digital Personal Data Protection Bill, 2023

What We Cover In This Blog?

• India’s Data Protection Bill
• Key Functions, Stakeholders, And Definitions
• Scope And Application
• Conditions For Data Processing By Data Fiduciaries
• Rights Of Data Principals
• Data Of Children And Persons With Disabilities
• Data Protection Board’s Role
• Cross-Border Personal Data Transfer

India’s Data Protection Bill

The DPDP Bill marks the Indian government’s second endeavor to establish comprehensive data protection law and privacy legislation. It builds upon India’s data protection regime, particularly Section 43A of the Electronics and Information Technology Act 2000. It is supplemented by the 2011 Electronics and Information Technology Rules.

The proposed Bill in India aims to establish a robust framework for safeguarding personal data, addressing issues like granting rights to the affected data principal, regulating data fiduciaries that process personal data, and implementing measures to prevent personal data breaches while addressing concerns related to targeted advertising and behavioral monitoring.

It also has innovative key features such as storage limitation, delineates the responsibilities of data processors in handling financial assets, and ensures that both the rights of individuals are upheld by mandating that data processing is conducted by seeking consent or under a legally valid contract.

A best digital marketing agency excels in creating effective online strategies to help businesses reach their target audience and achieve their marketing goals by abiding by the digital personal data protection policies laid down by the Indian government.

Key Functions, Stakeholders, And Definitions

The DPDP Bill outlines key stakeholders who will play essential roles in ensuring the protection of personal data publicly:

• Data Protection Board: This central governing body, to be established by the Central Government, will oversee the implementation of the Act.
• Data Fiduciary: Any individual or entity, alone or in collaboration with others, that determines the statistical purposes and means of processing personal data.
• Data Principal: An individual to whom the personal data relates, which includes minors and individuals with disabilities.
• Data Processor: An entity responsible for processing personal data on behalf of data controllers, ensuring compliance with data protection laws, and maintaining the security and confidentiality of the information.
• Data Protection Officer (DPO): Data fiduciaries must designate a DPO to enforce legal rights. Furthermore, an autonomous independent Data Auditor could be enlisted to appraise and review data procedures, guaranteeing alignment with statutory provisions. An individual nominated by a Significant Data Fiduciary to oversee and ensure compliance with data protection regulations.
• Significant Data Fiduciary: Certain Data Fiduciaries have characteristics of Central Government based notifications, such as the volume of data minimization processed and the potential impact on security and public order.

Scope And Application

The DPDP Bill’s scope encompasses innovative features like digitally processing India’s data, collected online or digitized from offline sources. It also extends to the permit processing of digital personal data outside India if related to offering goods, services, or profiling of Data Principals within the country. However, personal data processed for personal or domestic purposes and data made publicly available by the Data Principal or under legal obligations fall outside the bill’s purview.

Data fiduciaries can process data for lawful purposes by seeking the consent of managers of the Data Principal or for ‘certain legitimate uses.’ Before obtaining consent, a Data Fiduciary must provide detailed notices specifying the process data, the purpose, and the Data Principals’ rights.

Conditions For Data Processing By Data Fiduciaries

A Data Fiduciary must ensure ethical and lawful management of personal information. These conditions encompass securing explicit consent from data subjects, articulating the purpose behind data collection, upholding data accuracy, enacting suitable security measures, and adhering to pertinent data protection legislation. Additionally, Data Fiduciaries, notified as Significant Data Fiduciaries, may be obliged to furnish individuals access to their data and establish mechanisms for rectification and erasure. These conditions protect individuals’ privacy while facilitating transparent and legitimate information processing practices.

A Data Fiduciary enforces sensible security measures ensures precise data handling, and implements protocols for notifying breaches. Their responsibilities also extend to erasing personal data once its purpose has been fulfilled.

Rights Of Data Principals

The salient features of the bill recognize the rights of the affected data principals and the fiduciary’s obligations. Affected data principal can access their data, correct inaccuracies, erase personal data and restrict or object to processing for specified purposes. Data fiduciaries are responsible for fulfilling these rights while ensuring the security and data accuracy of the data.

Data Of Children And Persons With Disabilities

Data of children and persons with disabilities hold special significance in data protection. Given their vulnerability, specific safeguards and considerations are often applied to their personal information. Organizations must prioritize their privacy and well-being by obtaining parental or legal guardian consent for processing children’s data, ensuring that the data collected is age-appropriate and serves the child’s best interests. Similarly, data fiduciaries must adopt measures to accommodate the unique needs and rights of persons with disabilities, ensuring equal access, clear communication, and tailored support mechanisms.

Data Protection Board’s Role

The Data Protection Board is pivotal in supervising and upholding data protection regulations within a specific jurisdiction. Its responsibilities encompass interpreting and implementing data protection laws, issuing guidelines and recommendations for organizations to adhere to, and resolving telecom dispute settlements on data privacy matters. Furthermore, the board wields the power to impose financial penalties on entities found contravening data protection regulations, thereby ensuring the responsible management of individuals’ personal information by legal prerequisites.

This board possesses the authority to address and prevent personal data breaches and instances of non-compliance. It holds the capacity to levy substantial penalties for violations. Overseeing the board’s functioning, the Central Government can issue directives as deemed necessary.

It needs to impose financial penalties on non-compliance, including mitigating data breaches of security safeguards and failure to notify breaches. The Central Government can grant exemptions for certain purposes, government entities, and specified purposes.

Cross-Border Personal Data Transfer

Cross-border personal data transfer pertains to relocating individuals’ personal information from one nation or legal jurisdiction to another. This intricate procedure entails managing diverse legal, judicial, or regulatory functions and security factors, all aimed at preserving the data’s security and adherence to pertinent data protection regulations as it traverses international boundaries.

The Central Government can impose storage limitations on cross-border personal data transfers via notifications. This provision ensures that existing laws offering heightened storing data protection will persistently apply and govern these transfers.

Conclusion

The Digital Personal Data Protection Bill 2023 establishes a comprehensive framework for safeguarding personal data in India’s digital landscape. By defining key stakeholders, outlining data manipulation conditions, specifying obligations, and providing for penalties and exemptions, the bill addresses the challenges posed by data privacy and protection in the modern era. If passed into law, it will significantly enhance individuals’ control over their data while holding organizations accountable for responsible data-handling practices.