The Indian Ministry of Electronics and Information Technology (MeitY) published its fourth draft of the proposed privacy law, renamed the Digital Personal Data Protection Bill, 2022, on November 18. Ashwani Vaishnaw, Union Minister for Communications, Electronics, and Information Technology, introduced the bill for public comment.
What is the Digital Personal Data Protection Bill?
The Digital Personal Data Protection Bill comes nearly four to five months after the Supreme Court directed the government to develop a set of data protection rules that prioritize privacy as a fundamental right. The renamed bill is the fourth iteration of the proposed law.
Let us quickly review the key points of the widely debated Digital Personal Data Protection Bill and the rights it confers on individuals.
What data is considered personal under the proposed Digital Personal Data Protection Bill?
According to the Digital Personal Data Protection Bill, personal data is any data that can help identify an individual easily. The data protection bill defines identifiable personal data as information about an individual, such as name, contact information, bank account details, biometric data, etc.
With consent or deemed consent, such personal data may be used by data fiduciaries (any person or a group of persons entrusted with data processing) for lawful purposes such as enforcing a judgment, responding to a medical emergency, and preventing a disaster, and so on.
What are an individual’s rights under the Digital Personal Data Protection Bill?
Right to information about the processing and summary of their data
The Digital Personal Data Protection Bill, 2022 confers certain rights to the Data Principal (the individual whose personal data is being shared) as Data Fiduciaries (individuals or businesses who determine the purpose and method of data processing) have obtained his personal data:
- The right to confirm that the Data Fiduciary is processing or has processed the Data Principal’s personal data.
- Overview of the personal data being processed as well as the processing activities carried out by the data fiduciary about the data collected.
- The identities of all data fiduciaries with whom personal data has been shared.
- Any additional information that may be required.
Right to Personal Data Correction and Erasure
- The Data Principal has the right to have his/her personal data corrected and erased by applicable laws and in the manner prescribed.
- The role of a data fiduciary upon receiving a request for correction and erasure from the data principal shall
- a) Rectify incorrect or misleading personal data.
- b) Complete the incomplete personal data
- c) Update the Data Principal’s personal data
- d) Erase the personal data that is no longer needed unless retention is mandated by law
Right of Grievance Redressal
According to the Digital Personal Data Protection Bill, the data principal has the right to file a complaint with the data fiduciary. If the Data Principal finds the Data Fiduciary’s resolution unsatisfactory, or if he or she does not receive a response even after seven days, the complaint can be escalated to the Board in the manner as prescribed.
Right to Withdraw Consent
The Digital Personal Data Protection Bill defines the consent of a Data Principal as a specific, clear, informed, and unambiguous indication of his/her wishes. It should be a positive action indicating approval of processing personal data for a specific purpose.
Where consent is given for personal data, the Data Principal reserves the right to withdraw consent at any time. The consequences of such withdrawal shall be borne solely by the Data Principal, but the withdrawal shall in no way affect the lawfulness of the data processed before the withdrawal. Furthermore, withdrawing consent should be as simple as giving consent.
Right to Nominate
According to the Digital Personal Data Protection Bill, a Data Principal shall have the right to nominate any other individual who shall, in the event of the Data Principal’s death or mental or physical infirmity, exercise the Data Principal’s rights by the provisions of this Bill.
Duties of an individual under the proposed Digital Personal Data Protection Bill
While giving Data Principals specific rights, the Digital Personal Data Protection Bill also has certain duties an individual must abide by:
- Assuring the Data Principal complies with all relevant legislation while exercising his or her rights under this Law.
- No individual must lodge a false complaint/grievance with the Data Fiduciary or the Board.
- Under no circumstances shall the individual/Data Principal misrepresent any personal data related to proof of identity, address, or employment. No attempt shall be made to conceal any material information or to impersonate another person.
- The individual must provide only certifiable and authentic information or documents when exercising the right to correction or erasure.
The Digital Personal Data Protection Bill 2022 draft bill envisions the establishment of Data Protection Boards of India to determine non-compliance with the draft Bill’s provisions, impose penalties for such non-compliance, and take action by the provisions of the Bill.
When passed, a well-designed Digital Personal Data Protection Bill will provide a legal foundation for citizens’ entitlements by clearly defining the scope of the basic right to privacy and the Data Fiduciaries. Though it still has some gaps in safeguarding the citizens from a data breach, when it is revamped to remove the flaws and fully implemented, India’s data protection will be on par with that of developed nations.
What are SDFs or Significant Data Fiduciaries in Digital Personal Data Protection Bill?
A significant data fiduciary is a data fiduciary, as the name implies. Still, they fall into a “significant” category according to data privacy and cybersecurity authorities depending on the type of personal data, its risks, and its sensitivity. Another critical point is that data fiduciaries in the significant category must meet the special accountability requirements detailed in the personal data protection bill.
What are the exemptions of the Digital Personal Data Protection Bill?
The exemptions to this Bill include situations where-
● Personal data processing is required to enforce any legal right or claim
● Personal data is processed to prevent or prosecute any crime or law violation.