Explained: India’s new Digital Personal Data Protection framework

A brand new regulation that defines how firms ought to course of customers’ knowledge got here into drive with the President giving assent to the Digital Personal Data Protection (DPDP) Act handed by Parliament within the just-concluded monsoon session.

The regulation arms people with larger management over their knowledge whereas permitting firms to switch customers’ knowledge overseas for processing, besides to nations and territories restricted by the Centre by way of notification.

It additionally offers the federal government energy to hunt data from corporations and situation instructions to dam content material. While the brand new regulation seeks to determine a strong framework for the safety of private knowledge within the digital realm, it has drawn criticism from some quarters over broad exemptions granted to state entities and a few of its provisions diluting the landmark Right to Information (RTI) regulation.

The new laws comes after the federal government, final 12 months, withdrew a December 11, 2019 invoice that had alarmed tech firms like Facebook and Google with its proposals for stringent restrictions on cross-border knowledge flows.

Here are key takeaways from the freshly-minted, landmark regulation:

OBLIGATIONS OF DATA FIDUCIARY: Data fiduciaries, that are entities accumulating and processing private knowledge, are required to acquire free, knowledgeable and unconditional consent from people earlier than processing their knowledge. Data have to be deleted when its objective has been fulfilled or consent is withdrawn. Entities should defend private knowledge of their possession by taking affordable safety safeguards to stop a knowledge breach, and alert Data Protection Board of India and affected individuals when knowledge breach happens.

A Data Fiduciary has to publish the contact data of a Data Protection Officer or an individual who will reply questions in regards to the processing of private knowledge. Data Fiduciary must set up an efficient grievances redressal mechanism.

RIGHTS & RESPONSIBILITIES OF INDIVIDUALS: Individuals have the fitting to entry the private knowledge collected about them and know with whom it has been shared. They can request the deletion, correction, or updating of their private knowledge. In case of grievance, they’ll method such a mechanism arrange by knowledge fiduciaries. The rights, nonetheless, include sure duties. They can’t impersonate one other particular person whereas offering private knowledge, can’t register a false criticism, or suppress materials data. Breach of duties may be punishable with a penalty of as much as ₹10,000.

SPECIAL PROVISIONS: The authorities can prohibit the switch of private knowledge to sure international locations for safety and sovereignty causes. It may also exempt sure lessons of fiduciaries, together with startups, from complying with particular provisions.

POWERS OF GOVERNMENT: The authorities can order the blocking of a knowledge fiduciary after a listening to primarily based on the advice of a Data Protection Board. Immunity from authorized proceedings is prolonged to the central authorities, the board, its chairperson, and members. Decisions of the board are actually appealable earlier than TDSAT.

TIMELINES: The Lok Sabha accredited the invoice on August 7, and Rajya Sabha on August 9, marking the completion of Parliamentary approval course of. The authorities expects to implement DPDP inside 10 months, IT Minister Ashwini Vaishnaw had mentioned. The draft invoice had been circulated in November 2022 for public feedback, after the Government withdrew a earlier model of information safety invoice from Lok Sabha on August 3, 2022.

APPLICABILITY: Personal knowledge is outlined as knowledge about a person. The norms will apply to private knowledge collected in digital kind, from people in India, and private knowledge collected offline however digitised subsequently. It will even apply to processing exterior India, if it has to do with providing items or providers to people in India. The Act doesn’t apply to private knowledge processed by a person for any home objective, nor to private knowledge made publicly accessible by a person.

PROCESSING OF PERSONAL DATA: Processing means actions associated to digital private knowledge, together with assortment, storage, indexing, sharing, use, disclosure, dissemination and even erasure. Personal knowledge may be processed just for a lawful objective for which a person has given consent and for sure professional makes use of. For consent, discover needs to be given by a knowledge fiduciary (knowledge utilizing entity) to the info principal (particular person) describing the info and objective to be processed, additionally the style by which the person could make a criticism to the info safety board.

CONSENT: Consent of people must be free, unambiguous, and clear affirmative motion, agreeing to processing of private knowledge just for the desired objective. This means even when consent is for different functions, say the place a telemedicine app seeks entry to customers’ contact record, the consent shall be thought-about to be restricted solely to the precise objective of information being collected (telemedicine providers). Consent may be withdrawn at any time.

PROCESSING OF PERSONAL DATA OF CHILDREN: DPDP mandates parental consent for processing of kids’s knowledge. Data accumulating entities can’t undertake processing of private knowledge that’s prone to trigger detrimental impact on the well-being of a kid, nor can they undertake monitoring or behavioural monitoring of kids or focused promoting directed at youngsters. It defines a baby as a person who has not accomplished 18 years of age. However, the federal government can decrease the age of consent for sure entities if happy that they course of youngsters’s knowledge in a “verifiably secure” way.

EXEMPTIONS: Exemptions are applicable in cases where processing of personal data is needed for prevention and probe of offences, enforcing legal rights or claims, merger or amalgamation, detecting financial frauds, among others. The Centre can exempt the application of the law for Government entities in the interests of the sovereignty, integrity, and security of the State, or for public order.

DATA PROTECTION BOARD OF INDIA: The Act envisages establishment of Data Protection Board of India, tasked with monitoring compliance, inquiring into breaches, and imposing penalties, and directing remedial or mitigation measures in case of data breach.

PENALTIES: The provisions lay down different penalties for different offences — failure to take reasonable security safeguards to prevent data breaches entails up to ₹250 crore penalty, while non-fulfillment of obligations to give Board and individuals notice of data breach draws penalty of up to ₹200 crore. The penalty for non-compliance of additional obligations in relation to children is up to ₹200 crore.

CRITICISM: According to Internet Freedom Foundation, the new law seems to prioritise data processing over privacy protection, which contradicts the original intent of safeguarding individuals’ rights. Also, the broad exemptions granted to state entities is of concern. The law does not contain any meaningful safeguards against “over-broad surveillance”.

While opposition MPs and digital consultants say the laws would enable the federal government and its companies to entry person knowledge from firms and private knowledge of people with out their consent, the Editors Guild of India says it impacts press freedom, creates an enabling framework for surveillance of residents together with of journalists and their sources, and dilutes the Right to Information regulation.