Digital Personal Data Protection bill: Everything you need to know

Data's locked, but the government's peeking?

On August 9, the Rajya Sabha approved the Digital Personal Data Protection (DPDP) Bill 2023 which will determine how private and government entities can use or process your data. This legislation is designed to tackle the issue of online platforms misusing individuals' personal data. The bill's coverage extends to personal data that is both initially generated in a digital format within India and data that is collected in a non-digital format and later converted into digital form. Here, we'll explain the specifics of the Bill's content and its potential impact on you.

What is it? How will it work?

The Digital Personal Data Protection (DPDP) Bill establishes guidelines for how companies handle digital data processing. It introduces a system for resolving conflicts and disputes and outlines the formation of a Data Protection Board (DCB) of India, the nodal body for data protection. Ashwini Vaishnaw, the Minister of Electronics and Information Technology, mentioned that these regulations will be gradually implemented in the next six to ten months.

The first version of the bill was brought forward in November last year, following numerous rounds of input from the public. The Joint Parliamentary Committee recommended making companies follow even stricter rules. On July 5th, the Union Cabinet gave the thumbs up to the preliminary DPDP Bill. In this bill, there's a suggestion to slap fines of up to ₹250 crore on groups that break the rules stated in it.

On what type of data is the Bill applicable/not applicable?

The Bill doesn't cover personal data that's already out there for everyone to see. To make it more clear, the Bill clarifies with an example: Consider an individual named X who shares her personal information on a public platform while expressing her opinions through blogging. In such instances, the regulations outlined in this Act will not be applicable. It employs the term 'data fiduciary' to talk about those who can process your data. This could be any kind of group, be it government or private companies, that collects your personal info and work with it.

When can data fiduciaries use your data?

For a private company, like a social media site, or a government agency, handling personal data is only allowed if the individual involved has given their permission. Moreover, the data processing should have a legal basis. Alongside this consent, you will also get a "notification" from these platforms. This notice will spell out the specific personal information of the user that's about to be processed, the purpose behind it and the procedure for addressing complaints.

However, there are certain situations where public or private entities have the authority to handle an individual's data without requiring their consent. This provision, referred to as "certain legitimate uses," outlines particular scenarios where obtaining consent may not be obligatory. For example, the government has the green light to handle your data for stuff like giving out subsidies, benefits, services, certificates, licences, or permits. They can also use your data when they're carrying out any legal duties or responding to emergencies. This includes taking measures in cases of a disaster, or “breakdown of public order”. They can even process your data for work reasons, like protecting employers from trouble.

Is it possible to request a platform to cease processing your data?

Absolutely, you can ask a platform to delete, modify or update the personal data stored with it. If you have initially agreed to let a platform handle your data, you retain the right to later revoke that consent. In such a case, the platform is required to halt the data processing. Once you withdraw your consent, the Bill specifies that the platform must discontinue the processing within a reasonable timeframe, as mandated by legal obligations.

It's also within your rights to ask a platform for a rundown of the data they're handling or to reveal the names of other platforms and data processors they've shared your data with. But this rule doesn't kick in if the data sharing was done with the aim of preventing and detecting criminal activities.

What steps can you take if your data is misused by a platform or if there's a breach?

If you're aggrieved about anything concerning your personal data, you can reach out to the platform's complaint system. If there's a data breach or the platform isn't following the Bill's rules, you can report it to the DPB. And if the DPB's decision doesn't satisfy you, you can take it up a notch and appeal to the Telecom Disputes and Settlement and Appellate Tribunal (TDSAT).

Will there be a central authority for data protection? If so, what powers will it have?

India is on the cusp of establishing its very own data protection regulator, the Data Protection Board (DPB). This board will act as the central authority handling all matters related to data processing and breaches. Its members, including the chairperson, will be chosen by the central government and can serve for up to two years, with the possibility of reappointment.

The DPB will have the power to order corrective actions in case of a personal data breach, conduct investigations, and impose fines. The individual involved will have a chance to present their case, and any directions given by the board must be followed by the concerned party.

What are the consequences for a platform that misuses your data or violates the Bill's rules?

The Bill specifies that if a data fiduciary is found to have breached the provisions related to safeguarding personal data, the penalty could be as high as ₹250 crore. For failure to report a data breach, the platform might be liable for a penalty of up to ₹200 crore. And if a platform doesn't adhere to the restrictions regarding children's data processing, it could face a fine of up to ₹100 crore.

The DPB also has the authority to request the central government to restrict content access. This action is conditional and takes effect only if the platform has incurred two or more fines for violating the Bill's provisions. The board can recommend that the government block access to information hosted on any "computer resource" that facilitates a data fiduciary in providing services to data subjects.

Will the regulations that apply to private platforms also extend to government entities? If so, what implications could this have for you?

Section 17(2) of the Bill explicitly states that the entire set of provisions in the Act, encompassing aspects like granting data access consent and ensuring data security, will not be binding on the "instrumentality" of either the state or central government. The government holds the authority to identify these instrumentalities, with the objective of safeguarding India's sovereignty, upholding national security, maintaining friendly foreign relationships, ensuring public order, or preventing the instigation of any punishable offence. 

Explain to me in toddler terms

This bill is definitely a big move to keep your personal online info safe. However, there's a concern about the substantial authority granted to the government for exemption from the Bill's provisions. The extensive range of exceptions provided to the Union government, including all state instrumentalities, raises worries about potential surveillance. Also, the DPB that's supposed to watch over might not be as independent as it sounds. Even though the bill says the board will do its thing on its own, the government gets to pick who's on it, how it works, and more. This setup could open the door to the government keeping a close eye on things.