What impact does the new data privacy bill have on you? After several updates over the years, the government has released a new version of the data protection statute, which governs how a citizen’s data is acquired, preserved, and processed. The Digital Personal Data Protection Bill of 2022 offers several modern requirements, such as a user’s right to know exactly what personal data about them is being gathered, as well as how it is maintained and processed.
The proposed law lays out all of the dos and don’ts for companies that collect and handle user data (called data fiduciaries) in terms of how they treat personal data. The draft law also aims to establish a new layer of digital governance through the establishment of a data protection authority.
We read the proposed law and an explanatory note offered by the government, so you didn’t have to. The following are the implications of the proposed digital personal data protection bill for consumers, internet platforms, enterprises, and any other entity that gathers and maintains user data:
Personal data information rights
Personal data is not just processed by platforms and organizations to target adverts at users, but it can also be used to create detailed digital profiles of a person, according to digital activists and experts. Such information can also be sold or given to others without the user’s knowledge. The bill stipulates that users must have the right to know precisely which of their personal data is being processed, as well as whether it is being sold or given to another fiduciary that will use it for other purposes, in order to protect users from such situations.
Users can request corrections and erasures.
Because of the nature of the digital age, incorrect information about a user is frequently published online. There may also be times when a user’s information changes, such as when you change addresses, email addresses, or phone numbers. The proposed data law protects you in these situations by allowing you to request that a platform or another organization rectify information about you. In other ways, the bill integrates the ‘right to be forgotten,’ since users can request that their data be removed.
The measure also mandates that when user data is no longer needed, a data fiduciary must delete it. For instance, the bank must erase all information related to an account when a customer quits their savings account. A data fiduciary must keep personal data only for the purpose for which it was received. Therefore, if a user deletes their social media account on a particular platform, their data must also be deleted.
Children’s behavior cannot be monitored.
According to the bill, a data fiduciary shall not engage in tracking or behavioral monitoring of minors, as well as targeted advertising geared toward children. Before processing a child’s data, the fiduciary must get verifiable parental permission. Furthermore, failure to meet these commitments about minors can result in fines of up to Rs 200 crore.
Handling data breach incidents
In the past, we’ve found that users are seldom alerted of data breaches. Even though sensitive personal data such as bank accounts, credit card numbers, and Aadhaar numbers may have been compromised, it is usually a white hat specialist who discovers a data breach.
To safeguard users in such cases, the law essentially requires a platform or any organization that suffers a data breach to notify each affected user as well as the data protection board. Furthermore, every data fiduciary and data processor is required to secure personal data by using appropriate security controls to avoid data breaches. If they are deemed to have failed to implement adequate protections, the data board may issue a fine of up to Rs 250 crore.
When a personal data breach occurs, the law states that the data regulator may require the data fiduciary to take whatever necessary immediate steps to correct the breach or limit any harm caused to users.
Users have the option of filing a complaint.
It is the data fiduciary’s job to guarantee that a consumer may seek effective redress of her concerns. To accomplish this, the law requires that every data fiduciary disclose contact information for the person to whom concerns and inquiries can be directed. The proposed legislation also gives users the right to make a complaint with the data fiduciary and the right to file a grievance with the Data Protection Board if the fiduciary does not respond or responds unacceptably.
The ability to nominate
Nomination is a fundamental practice and right that individuals have in a variety of circumstances, including financial services. Consumers, for example, are often requested as nominees for their bank accounts, insurance schemes, provident funds, and so on. Taking a page from this book, the data protection bill proposes the right to choose any other individual who, in the case of the data principal’s death or incapacity, can exercise the data principal’s rights under the proposed legislation.
Users, too, have responsibilities!
Surprisingly, the data bill also makes reference to a group of rules known as “duties of data principals,” which call for users to give accurate information when claiming the right to correct or erase their data, refrain from submitting a baseless or unfounded grievance or complaint to a data fiduciary or the panel, and refrain from giving false information or posing as someone else. Non-compliance with the ‘duties’ will also result in penalties of up to Rs 10,000. However, the statute expressly indicates that whether or not a user abides by their commitments, a data fiduciary’s obligations remain unchanged.
Noncompliance will be expensive.
Data fiduciaries have no choice but to comply with the law or face penalties of up to Rs 500 crore for non-compliance. The bill includes a long list of fines, including up to Rs. 250 crore for failing to take adequate precautions against data breaches, Rs. 200 crore for failing to report a breach or failing to comply with provisions relating to children, Rs. 10 crore for failing to follow data localization norms, and Rs. 150 crore for failing to fulfill additional obligations under the proposed law.
The data protection bill states that a “significant” data fiduciary, based on the volume of data processed, the risk to users, and elections, among other factors, will be required to fulfill certain additional obligations to enable greater scrutiny of its practices. This is analogous to the additional obligations imposed on digital intermediaries with more than 5 million users in the Information Technology Act of 2021.
These large data fiduciaries must designate a data protection officer domiciled in India to represent them under the rules of the law. The officer will report to the important data fiduciary’s Board of Directors or an equivalent governing body. Despite the fact that data localization was considered to be a crucial component of the proposed regulation, the bill only permits the central government to notify nations or territories outside of India that data fiduciaries may transfer personal data there under later-specified terms and conditions.
Edited by Prakriti Arora