Data Protection Act passed in the Rajya Sabha dated 09.08.2023. The Act came into effect on 11th August 2023. The Act will be applicable to the handling of digital personal data processed in India, whether the data is obtained online or offline and then converted to digital form. If the processing is being done to offer products or services in India, it will also apply to processing done outside of India.
Only with the individual’s consent and for legitimate purposes may personal data be handled. For Certain legal purposes, such as the processing by the state in order to process applications for permits, licenses, benefits, and services, or the voluntary exchange of data by an individual, consent may not be required. Data fiduciary will be required to keep the data safe, and accurate and delete it after its purpose has been served.
1. Application– If digital personal data is processed in India and is either (a) gathered online or (b) collected offline and converted to digital form, the Bill is applicable. If processing is done to provide goods or services in India, it also applies to processing done outside of India. Any information on a person who may be identified from or in connection with that information is referred to as personal data. The term “processing” refers to any fully or partially automated action taken on digitally stored personal data. It comprises gathering, keeping, using, and sharing.
2. Consent – Only with the individual’s consent and for a legal purpose may personal data be used. Before requesting consent, a notification must be given. Information about the personal data to be gathered and the processing goal should be included in the notification. The ability to revoke consent is always available. For “legitimate uses,” which include (a) the specific purpose for which data has been willingly submitted by an individual, (b) the government’s supply of a benefit or service, (c) a medical emergency, and (d) employment, consent won’t be necessary. The parent or the legal guardian must give consent on behalf of minors under the age of 18.
3. Rights and liabilities of data principal –A person whose data is being processed (referred to as the “data principal”) is entitled to the following rights: (a) information about the processing; (b) deletion of personal data; (c) designating a substitute for themselves to exercise rights in the case of death or incapacity; and (d) grievance redressal. Certain obligations will fall on data principals. They may not: (a) file a fictitious or baseless complaint; (b) provide any false information; or (c) impersonate another individual in certain circumstances. Duty violations are penalized by fines of up to Rs 10,000.
4. Liabilities of Data fiduciaries – The organization deciding the purpose and method of processing, or “data fiduciary,” is required to: (i) take reasonable steps to ensure the accuracy and completeness of the data; (ii) put in place reasonable security measures to prevent a data breach; (iii) notify the Data Protection Board of India and any affected individuals in the event of a breach; and (iv) erase personal data as soon as the purpose has been satisfied and retention is no longer required for legal purposes (storage limitation). Government organizations are exempt from storage restrictions and the data principal’s right to erasure.
5. Transfer of personal data outside India –With the exception of nations that have been limited by notification from the central government, the Bill permits the transfer of personal data outside of India.
6. Exemptions – The rights of the data principal and obligations of data fiduciaries (except data security) will not apply in specified cases. These include: (a) prevention and investigation of offences, and (b) enforcement of legal rights or claims. The central government may, by notification, exempt certain activities from the application of the Bill. These include (a) processing by government entities in the interest of the security of the state and public order, and (b) research, archiving, or statistical purposes.
7. Data Protection Board of India –The Data Protection Board of India will be established by the national government. The Board’s main duties include (a) enforcing penalties for noncompliance, (b) requiring data fiduciaries to take appropriate action in the event of a data breach, and (c) listening to grievances brought forth by impacted parties.
Members of the board will be appointed for two years with the possibility of reappointment. The number of Board members and the procedure for choosing them shall be specified by the national government. The TDSAT will hear appeals against the Board’s judgments.
8. Penalties – Penalties for numerous infractions are outlined in the schedule to the Bill, including up to (a) Rs 200 crore for failing to fulfill commitments to children and (b) Rs 250 crore for failing to take security precautions to avoid data breaches. The Board will issue penalties following an investigation.
India presently lacks a stand-alone data protection law. In accordance with the Information Technology (IT) Act of 2000, the use of personal data is governed. To study concerns pertaining to data protection in the nation, the central government established a Committee of Experts on Data Protection in 2017. The committee is chaired by Justice B. N. Srikrishna. In July 2018, the Committee turned in its report.
The Personal Data Protection Bill, 2019 was presented in Lok Sabha in December 2019 based on the Committee’s recommendations. A Joint Parliamentary Committee was given the bill, and it delivered its report in December 2021. The Bill was withdrawn from Parliament in August 2022. A Draught Bill was made available for public comment in November 2022. August 2023 will see the Digital Personal Data Protection Bill, 2023 introduced in Parliament.