All about personal data bill/ law
The Lok Sabha and Rajya Sabha passed the Digital Personal Data Protection (DPDP) Bill
Here, we explain what exactly the Bill says, how it may affect citizens, and what options are there for a citizen to protest, if he/she is aggrieved.
On whom and on what type of data does the DPDP Bill apply?
The Bill, as it is named, will apply to personal data collected in India in a digital format, and in a non-digital format, if it is subsequently digitised.
It will also apply to Indian citizens whose data is transferred to other countries for availing any goods or services.
On what type of data is the Bill not applicable?
It will not apply on personal data, available publicly. The Bill provides an illustration of this, which says: “X, an individual, while blogging her views, has publicly made available her personal data on social media. In such cases, the provisions of this Act shall not apply.”
Who can process your personal data?
The Bill uses the term ‘data fiduciary’ to describe those who can process a person’s data. Data fiduciaries can be anybody, including public and private bodies, that collects personal data and processes it.
When can data fiduciaries (private and public bodies) process your data?
A private entity, like a social media platform, or a government body can only process personal data after the person concerned has given her consent. The reason for processing a person’s data has to be within law.
Accompanied with consent, users will also receive a “notice” from platforms, in English or in any of the major languages of the country. This notice will state the exact personal data of the user that is going to be processed, the purpose, process of grievance redressal, and so on.
On the other hand, public or private entities, in specific cases, can also process personal data without consent.
Will platforms be obliged to safeguard data that is stored with them?
Yes. The Bill says that a data fiduciary will protect personal data in its possession or under its control, by taking reasonable security safeguards. This includes data that is being processed by a third party. If there is a data breach, the platform will have to notify the user, and the personal data protection regulator.
Will there be a nodal body for data protection? What will be its powers?
Yes. India will soon have its own data protection regulator, the Data Protection Board (DPB), which will be the nodal body for all data processing and data breach-related issues that may come up. The board’s members, including the chairperson, will be appointed by the central government. They will be appointed for two years and can be reappointed.
The board can direct mitigation measures in case of a personal data breach, inquire into it and also impose a penalty. It has to give the person concerned an opportunity to be heard, and can issue directions, and the person is bound to comply with the directions it gives.
The overarching powers of the DPB have been criticised, and its independence questioned. Although the legislation says that the board will function as an independent body, the government controls the appointees, its functions and more, analysts pointed out.
Can a platform seek consent from a user, with terms and conditions that go against the aim of the Bill?
No. The Bill provides an example of this. “X, an individual, buys an insurance policy using the mobile app or website of Y, an insurer. She gives to Y her consent for (i) processing her personal data by Y for the purpose of issuing the policy, and (ii) waiving her right to file a complaint to the Data Protection Board of India. Part (ii) of the consent, relating to waiver of her right to file a complaint, shall be invalid.”
Can you ask a platform to stop processing your data?
Yes. If a user has given her consent to a platform to process her data, she can still withdraw that consent, and the platform will be obliged to stop processing it.
After a user withdraws her consent, the Bill states that the platform will cease to process the data “within a reasonable time”, based on legal obligations.
When can platforms or governments access data without your consent?
Public or private entities are empowered to process a person’s data without her consent through the clause called “certain legitimate uses” – which, as the name suggests, provides specific scenarios where consent won’t be necessary.
What are those scenarios?
· If someone has voluntarily given her personal data to a data fiduciary, and has not actively refused consent to process that data.
An illustration given in this regard, reads: “X, an individual, makes a purchase at Y, a pharmacy. She voluntarily provides Y her personal data and requests Y to acknowledge receipt of the payment made for the purchase by sending a message to her mobile phone. Y may process the personal data of X for the purpose of sending the receipt.”
· The government can process one’s data to provide subsidy, benefit, service, certificate, licence or permit
· The government can process a person’s data “for any function under any law.. in the interest of sovereignty and integrity of India or security of State”.
· For fulfilling any obligation under any law
· For complying with any judgement of a court
· For responding to a medical emergency
· For taking measures in cases of a disaster, or “breakdown of public order”.
· For employment purposes such as safeguarding employers from loss or liability
Are there special provisions for processing children’s data?
Yes. The DPDP Bill, which defines a child as someone below the age of 18, mandates that parental consent is required to process the data of a child. The Bill also puts a bar on tracking children or behavioural monitoring or targeted advertising at children.
However, it has added the clause that if the government finds that a platform is safely processing the data of a child, they can take up children's data processing without consent of their parents, or even take up targeted advertising.
Are there separate compliance requirements for “significant data fiduciaries”, and what are significant data fiduciaries?
Yes. The central government can notify any data fiduciary as a significant data fiduciary based on the volume of personal data that it processes, the potential risk that this processing may have on users, risk to democracy, and so on.
So, for all purposes, major MNCs, and big tech platforms can very well be notified as significant data fiduciaries.
These platforms will have to appoint a data protection officer who will be the representative of the company with regard to the provisions of the Bill. The DPO should be based in India, should be a member “responsible to the Board of Directors”, and will also be the point of contact for the grievance redressal mechanism.
If a significant data fiduciary fails to observe these additional obligations, the body can be fined up to Rs 150 crore.
Can you ask platforms to give access to or erase your personal data stored with it?
Yes. Users, provided they have given consent to the processing of that data, can request a platform to provide a summary of the data being processed.
Significantly, a user can also ask the platform to share the identities of all other platforms and data processors with whom data has been shared.
However, this provision will not apply if the data sharing happened “for the purpose of prevention and detection” of crimes.
Similarly, a user can ask a platform to delete, modify or update the personal data stored with it.
What are your duties as a user?
Apart from laying down stringent clauses which mandate how a body can process a person’s data, the Bill has certain “duties” assigned to a user. Firstly, a user cannot impersonate another person while providing their data, and the user cannot “suppress any material information” while providing personal data for any identifier that is issued by the government.
The bill also puts the onus of furnishing "verifiably authentic" information if the user wants to modify or erase their data stored with a platform.
When can a platform transfer your data outside the country?
A user’s data cannot be transferred to countries which will be listed as restricted by the government.
Also read: How India's DPDP Bill may impact cross border data transfer with EU companies
"The central government may, by notification, restrict the transfer of personal data by a data fiduciary for processing to such country or territory outside India as may be so notified," the Bill says.
Will all the rules, which will apply for a private platform, also apply for governments? If yes, how will that affect you?
No. Section 17(2) of the Bill specifically says that all provisions of the Act, which includes giving consent to access data, obligation to keep data safe and so on will not apply when it comes to the "instrumentality" of the state or central government.
The government may notify such instrumentalities “in the interest of sovereignty and integrity of India, security of the State, friendly relations with foreign States, maintenance of public order or preventing incitement to any cognizable offence…”
Also read: Data Protection Bill: Regulations like GDPR in EU give far more exemptions, says Ashwini Vaishnaw
Additionally, the government will also have the power to “call for information” for the “purposes” of the Bill.
Experts and critics of the Bill have pointed out that this provision may facilitate government surveillance, as the government can effectively put certain of its agencies beyond the purview of the Bill, if it wants to.
Can a startup or a platform also be exempted from the compliance requirements of the bill?
Yes. The bill says that the Central government can notify exemptions to a certain certain class of data fiduciaries including startups. If granted exemption, a platform will not have to give notice to a user detailing the type of personal data the platform can process; the purpose for which the data can be processed and so on.
A platform can also be exempted from ensuring "completeness, accuracy and consistency" if it is processing personal data that can affect a user and also if that data is disclosed to another data fiduciary.
Will the DPB have blocking powers?
Yes. The DPB can ask the central government to block content. However, this will only be applicable if the platform has been fined twice for breaching the provisions of the Bill twice or more. The board can advise the government to block access to any information that is hosted on any “computer resource” that enables a data fiduciary to offer services to data principals. (I suppose it is principals.)
What can you do if a platform has misused your data, or if you discover that your data has been breached?
Firstly, if a user is aggrieved regarding any issue related to her personal data, she can approach the platform’s grievance redressal mechanism.
Secondly, a person will have the option to complain to the DPB in case of a personal data breach, or if it has been observed that there has been any contravention on the part of the platform, when it comes to compliance with the Bill and its provisions.
Thirdly, if a person is not satisfied with the decision of the DPB, she can go for appeal at the Telecom Disputes and Settlement and Appellate Tribunal (TDSAT).
What will happen to a platform if it has misused your data or breached provisions of the Bill?
If the DPB determines that a data fiduciary has breached the provisions of the Bill, it can impose a monetary penalty on the platform. The penalty will depend on the nature, gravity, duration of the breach (of the provisions of the Bill) and so on.
The Bill says that if a data fiduciary has been adjudged to have breached the provisions of the Act, specifically related to safeguards to personal data, the fine can “extend to Rs 250 crore”.
If a data fiduciary fails to notify a person’s data breach, the platform may attract a penalty of up to Rs 200 core. If a platform does not abide by the restrictions imposed on processing children’s data, the platform can be fined up to Rs 100 crore.
What are the points of concern in the Bill that you should know about?
Lawyers and digital experts have criticised the government for giving itself wide exemptions from the provisions of the Bill. The Editors Guild of India said that these provisions will clamp down on press freedom and lead to surveillance.
Retired judge BN Srikrishna, who headed the committee that drafted the PDP Bill in 2018, said that the exemptions in the Bill were far "worse" when compared to the PDP (Personal Data Protection) Bill.
Also read: All you need to know about Personal Data Protection Bill 2019, and why it was withdrawn
Legal experts said the powers of the DPB seems to be “very limited and vague" when compared to those set up by the European Union's General Data Protection Regulations and the UK's Data Protection Act.
Provisions for penalties also fall short of those stated in the European Union's GDPR or similar laws in China, legal experts said.
Last, but not the least, why are people talking about RTI in connection with the DPDP Bill?
The Bill proposes amendments to the RTI Act, which would mandate that the personal information of public officials will not be disclosed under the RTI Act. more
Here, we explain what exactly the Bill says, how it may affect citizens, and what options are there for a citizen to protest, if he/she is aggrieved.
On whom and on what type of data does the DPDP Bill apply?
The Bill, as it is named, will apply to personal data collected in India in a digital format, and in a non-digital format, if it is subsequently digitised.
It will also apply to Indian citizens whose data is transferred to other countries for availing any goods or services.
On what type of data is the Bill not applicable?
It will not apply on personal data, available publicly. The Bill provides an illustration of this, which says: “X, an individual, while blogging her views, has publicly made available her personal data on social media. In such cases, the provisions of this Act shall not apply.”
Who can process your personal data?
The Bill uses the term ‘data fiduciary’ to describe those who can process a person’s data. Data fiduciaries can be anybody, including public and private bodies, that collects personal data and processes it.
When can data fiduciaries (private and public bodies) process your data?
A private entity, like a social media platform, or a government body can only process personal data after the person concerned has given her consent. The reason for processing a person’s data has to be within law.
Accompanied with consent, users will also receive a “notice” from platforms, in English or in any of the major languages of the country. This notice will state the exact personal data of the user that is going to be processed, the purpose, process of grievance redressal, and so on.
On the other hand, public or private entities, in specific cases, can also process personal data without consent.
Will platforms be obliged to safeguard data that is stored with them?
Yes. The Bill says that a data fiduciary will protect personal data in its possession or under its control, by taking reasonable security safeguards. This includes data that is being processed by a third party. If there is a data breach, the platform will have to notify the user, and the personal data protection regulator.
Will there be a nodal body for data protection? What will be its powers?
Yes. India will soon have its own data protection regulator, the Data Protection Board (DPB), which will be the nodal body for all data processing and data breach-related issues that may come up. The board’s members, including the chairperson, will be appointed by the central government. They will be appointed for two years and can be reappointed.
The board can direct mitigation measures in case of a personal data breach, inquire into it and also impose a penalty. It has to give the person concerned an opportunity to be heard, and can issue directions, and the person is bound to comply with the directions it gives.
The overarching powers of the DPB have been criticised, and its independence questioned. Although the legislation says that the board will function as an independent body, the government controls the appointees, its functions and more, analysts pointed out.
Can a platform seek consent from a user, with terms and conditions that go against the aim of the Bill?
No. The Bill provides an example of this. “X, an individual, buys an insurance policy using the mobile app or website of Y, an insurer. She gives to Y her consent for (i) processing her personal data by Y for the purpose of issuing the policy, and (ii) waiving her right to file a complaint to the Data Protection Board of India. Part (ii) of the consent, relating to waiver of her right to file a complaint, shall be invalid.”
Can you ask a platform to stop processing your data?
Yes. If a user has given her consent to a platform to process her data, she can still withdraw that consent, and the platform will be obliged to stop processing it.
After a user withdraws her consent, the Bill states that the platform will cease to process the data “within a reasonable time”, based on legal obligations.
When can platforms or governments access data without your consent?
Public or private entities are empowered to process a person’s data without her consent through the clause called “certain legitimate uses” – which, as the name suggests, provides specific scenarios where consent won’t be necessary.
What are those scenarios?
· If someone has voluntarily given her personal data to a data fiduciary, and has not actively refused consent to process that data.
An illustration given in this regard, reads: “X, an individual, makes a purchase at Y, a pharmacy. She voluntarily provides Y her personal data and requests Y to acknowledge receipt of the payment made for the purchase by sending a message to her mobile phone. Y may process the personal data of X for the purpose of sending the receipt.”
· The government can process one’s data to provide subsidy, benefit, service, certificate, licence or permit
· The government can process a person’s data “for any function under any law.. in the interest of sovereignty and integrity of India or security of State”.
· For fulfilling any obligation under any law
· For complying with any judgement of a court
· For responding to a medical emergency
· For taking measures in cases of a disaster, or “breakdown of public order”.
· For employment purposes such as safeguarding employers from loss or liability
Are there special provisions for processing children’s data?
Yes. The DPDP Bill, which defines a child as someone below the age of 18, mandates that parental consent is required to process the data of a child. The Bill also puts a bar on tracking children or behavioural monitoring or targeted advertising at children.
However, it has added the clause that if the government finds that a platform is safely processing the data of a child, they can take up children's data processing without consent of their parents, or even take up targeted advertising.
Are there separate compliance requirements for “significant data fiduciaries”, and what are significant data fiduciaries?
Yes. The central government can notify any data fiduciary as a significant data fiduciary based on the volume of personal data that it processes, the potential risk that this processing may have on users, risk to democracy, and so on.
So, for all purposes, major MNCs, and big tech platforms can very well be notified as significant data fiduciaries.
These platforms will have to appoint a data protection officer who will be the representative of the company with regard to the provisions of the Bill. The DPO should be based in India, should be a member “responsible to the Board of Directors”, and will also be the point of contact for the grievance redressal mechanism.
If a significant data fiduciary fails to observe these additional obligations, the body can be fined up to Rs 150 crore.
Can you ask platforms to give access to or erase your personal data stored with it?
Yes. Users, provided they have given consent to the processing of that data, can request a platform to provide a summary of the data being processed.
Significantly, a user can also ask the platform to share the identities of all other platforms and data processors with whom data has been shared.
However, this provision will not apply if the data sharing happened “for the purpose of prevention and detection” of crimes.
Similarly, a user can ask a platform to delete, modify or update the personal data stored with it.
What are your duties as a user?
Apart from laying down stringent clauses which mandate how a body can process a person’s data, the Bill has certain “duties” assigned to a user. Firstly, a user cannot impersonate another person while providing their data, and the user cannot “suppress any material information” while providing personal data for any identifier that is issued by the government.
The bill also puts the onus of furnishing "verifiably authentic" information if the user wants to modify or erase their data stored with a platform.
When can a platform transfer your data outside the country?
A user’s data cannot be transferred to countries which will be listed as restricted by the government.
Also read: How India's DPDP Bill may impact cross border data transfer with EU companies
"The central government may, by notification, restrict the transfer of personal data by a data fiduciary for processing to such country or territory outside India as may be so notified," the Bill says.
Will all the rules, which will apply for a private platform, also apply for governments? If yes, how will that affect you?
No. Section 17(2) of the Bill specifically says that all provisions of the Act, which includes giving consent to access data, obligation to keep data safe and so on will not apply when it comes to the "instrumentality" of the state or central government.
The government may notify such instrumentalities “in the interest of sovereignty and integrity of India, security of the State, friendly relations with foreign States, maintenance of public order or preventing incitement to any cognizable offence…”
Also read: Data Protection Bill: Regulations like GDPR in EU give far more exemptions, says Ashwini Vaishnaw
Additionally, the government will also have the power to “call for information” for the “purposes” of the Bill.
Experts and critics of the Bill have pointed out that this provision may facilitate government surveillance, as the government can effectively put certain of its agencies beyond the purview of the Bill, if it wants to.
Can a startup or a platform also be exempted from the compliance requirements of the bill?
Yes. The bill says that the Central government can notify exemptions to a certain certain class of data fiduciaries including startups. If granted exemption, a platform will not have to give notice to a user detailing the type of personal data the platform can process; the purpose for which the data can be processed and so on.
A platform can also be exempted from ensuring "completeness, accuracy and consistency" if it is processing personal data that can affect a user and also if that data is disclosed to another data fiduciary.
Will the DPB have blocking powers?
Yes. The DPB can ask the central government to block content. However, this will only be applicable if the platform has been fined twice for breaching the provisions of the Bill twice or more. The board can advise the government to block access to any information that is hosted on any “computer resource” that enables a data fiduciary to offer services to data principals. (I suppose it is principals.)
What can you do if a platform has misused your data, or if you discover that your data has been breached?
Firstly, if a user is aggrieved regarding any issue related to her personal data, she can approach the platform’s grievance redressal mechanism.
Secondly, a person will have the option to complain to the DPB in case of a personal data breach, or if it has been observed that there has been any contravention on the part of the platform, when it comes to compliance with the Bill and its provisions.
Thirdly, if a person is not satisfied with the decision of the DPB, she can go for appeal at the Telecom Disputes and Settlement and Appellate Tribunal (TDSAT).
What will happen to a platform if it has misused your data or breached provisions of the Bill?
If the DPB determines that a data fiduciary has breached the provisions of the Bill, it can impose a monetary penalty on the platform. The penalty will depend on the nature, gravity, duration of the breach (of the provisions of the Bill) and so on.
The Bill says that if a data fiduciary has been adjudged to have breached the provisions of the Act, specifically related to safeguards to personal data, the fine can “extend to Rs 250 crore”.
If a data fiduciary fails to notify a person’s data breach, the platform may attract a penalty of up to Rs 200 core. If a platform does not abide by the restrictions imposed on processing children’s data, the platform can be fined up to Rs 100 crore.
What are the points of concern in the Bill that you should know about?
Lawyers and digital experts have criticised the government for giving itself wide exemptions from the provisions of the Bill. The Editors Guild of India said that these provisions will clamp down on press freedom and lead to surveillance.
Retired judge BN Srikrishna, who headed the committee that drafted the PDP Bill in 2018, said that the exemptions in the Bill were far "worse" when compared to the PDP (Personal Data Protection) Bill.
Also read: All you need to know about Personal Data Protection Bill 2019, and why it was withdrawn
Legal experts said the powers of the DPB seems to be “very limited and vague" when compared to those set up by the European Union's General Data Protection Regulations and the UK's Data Protection Act.
Provisions for penalties also fall short of those stated in the European Union's GDPR or similar laws in China, legal experts said.
Last, but not the least, why are people talking about RTI in connection with the DPDP Bill?
The Bill proposes amendments to the RTI Act, which would mandate that the personal information of public officials will not be disclosed under the RTI Act. more
Viewed by 1542
I saw in facebook, whenever we see a movie post leads to porn/ sexual movies including animal sex (DOG/ Horse), how a lady is misbehaved. These are private movies. I saw under Brindavan krishna movie scripts, lead to above porn scripts. It is a definitely some body trying to deface hindu religeous mind. I saw many websites exclusive inviting senior citizens for gay activity. There are user name entries not possible to type easily and form inaccessible users. They lead to personal activities. I reported many to fb, they say you to report to agencies. more
Aug 17
Then why BJP ????? On Friday, 11 August, 2023 at 11:25:49 am IST, Aparajita Sharma wrote: more
Aug 16
