Last Updated: August 04, 2023, 12:44 IST
The DPDP Bill provides for the processing of digital personal data in a manner that recognises both the right of individuals and the need to process it for lawful purposes. (Credits: Shutterstock)
The Bill seeks to protect personal data, lays down the rights and duties of the user and defines obligations for the company or government agency collecting the data
The government on Thursday tabled the Digital Personal Data Protection (DPDP) Bill in Lok Sabha which seeks to provide for the protection of personal data and the privacy of individuals.
The bill seeks to achieve protection and security of personal data, ensure ease of doing business and promote maximum governance. The bill is set to introduce a new international precedent in terms of protection framework.
The bill has been finalized with extensive public consultations with the stakeholders including around 21,666 comments from public and around 45 Ministries and departments.
The bill introduces new terms like children’s data and Data Fiduciary to make the bill to enhance its applicability and scope.
Let’s take a look at some of the key terms of Digital Personal Data Protection Bill:
Key Terms of the Bill
- Data Fiduciary: The Bill introduces the term ‘data fiduciary’ to refer to any entity or individual that determines the purpose and means of processing personal data. This includes organizations that collect personal data for various purposes like providing services, research or marketing.
- Data Principal: Data principal is the individual whose data is being collected, stored and processed. The individual has certain rights under the DPDP Bill including the right to access and correct his data, the right to data portability and the right to be forgotten.
- Digital Personal Data: It is the data by which a person may be identified.
- Consent: The consent given by the Data Principal shall be free, specific, informed, unconditional and unambiguous with a clear affirmative action. The purpose behind collecting personal data should be clear and specified.
- Consent Manager: Consent Manager means a person registered with the Board, who acts as a single point of contact to enable a Data Principal to give, manage, review and withdraw her consent through an accessible and transparent platform.
- Significant Data Fiduciary: Data Fiduciary is the person, company or the government agency processing the data. A ‘Significant Data Fiduciary’ (SDF) is a special category of data fiduciary that is subject to additional obligations under the DPDP Bill. An entity is classified as an SDF based on factors such as the volume and sensitivity of personal data, its processes, its turnover, its use of new technologies for processing data.
- Children’s data: The Bill retains the definition of a ‘child’, an individual below the age of 18 years, from the 2022 Bill. Data fiduciaries must continue to obtain ‘verifiable’ parental consent to process children’s data. It also prohibits tracking and advertising targeted towards children and processing that is likely to cause any ‘detrimental effect’ on the well-being of a child.
- Cross-border data transfers: The Bill moves from the white-list approach (recommended in the 2022 Bill) to a negative list. This means that data transfers are allowed to all jurisdictions except those barred by the government through notification.
Principles underlying the DPDP Bill
- Consented, lawful and transparent use of personal data
- Purpose limitation: Use only for specified purpose under Section 5(1)(i) and 6(1)
- Data Minimization: Collecting only necessary data
- Data accuracy: Updating and ensuring accuracy
- Imposes storage limitation conditions: Storage of Data to be limited to such duration as is necessary for the specified purpose
- Obligations on reasonable security safeguards: To prevent misuse or breach of personal data
- Accountability: Accountability of the person who decides the purpose and means of processing of personal data through adjudication of breaches and financial penalties
