DIGITAL PERSONAL DATA PROTECTION (DPDP) BILL

For Latest Updates, Current Affairs & Knowledgeable Content.

WHY IN NEWS :

Recently, after long haul of five years and multiple iterations, the Digital Personal Data Protection (DPDP) Bill was tabled in Parliament.

ABOUT DPDP BILL:

The new (and streamlined) DPBP Bill intends to – ‘provide for the processing of digital personal data in a manner that recognizes both the right of individuals to protect their personal data and the need to process personal data for lawful purposes, and for matters connected therewith or incidental thereto.’

KEY HIGHLIGHTS OF THE BILL :

The Bill will apply to the processing of digital personal data within India where such data is collected online, or collected offline and is digitised.
It will also apply to such processing outside India, if it is for offering goods or services or profiling individuals in India.
Personal data may be processed only for a lawful purpose for which an individual has given consent. Consent may be deemed in certain cases.
Data fiduciaries will be obligated to maintain the accuracy of data, keep data secure, and delete data once its purpose has been met.
The Bill grants certain rights to individuals including the right to obtain information, seek correction and erasure, and grievance redressal.
The central government may exempt government agencies from the application of provisions of the Bill in the interest of specified grounds such as security of the state, public order, and prevention of offences.
The central government will establish the Data Protection Board of India to adjudicate non-compliance with the provisions of the Bill.

KEY FEATURES OF THE BILL :

Applicability: The Bill will apply to the processing of digital personal data within India where such data is: (i) collected online, or (ii) collected offline and is digitised.
It will also apply to the processing of personal data outside India, if it is for offering goods or services or profiling individuals in India.
Personal data is defined as any data about an individual who is identifiable by or in relation to such data.
Processing has been defined as an automated operation or set of operations performed on digital personal data. It includes collection, storage, use, and sharing.
Consent: Personal data may be processed only for a lawful purpose for which an individual has given consent. A notice must be given before seeking consent.
Notice should contain details about the personal data to be collected and the purpose of processing. Consent may be withdrawn at any point in time.
Transfer of personal data outside India: The central government will notify countries where a data fiduciary may transfer personal data. Transfers will be subject to prescribed terms and conditions.
Penalties: The schedule to the Bill specifies penalties for various offences such as: (i) up to Rs 150 crore for non-fulfilment of obligations for children and (ii) up to Rs 250 crore for failure to take security measures to prevent data breaches. Penalties will be imposed by the Board after conducting an inquiry.

SCOPE OF THE DPDP BILL :

The DPDP Bill applies to any ‘digital personal data’ processed within India.
For the purpose of understanding, the term ‘data’ is used in the DPDP Bill to mean the ‘representation of information, facts, concepts, opinions or instructions in a manner suitable for communication, interpretation or processing by humans or by automated means’.
The term ‘personal data’ is defined as ‘any data about an individual who is identifiable by or in relation to such data’.
The term ‘digital personal data’ (in the DPDP Bill) encompasses data collected offline and subsequently digitized as well as data collected online by a ‘Data Principal’.

Notably, if such private individual is a ‘child’, then the term ‘Data Principal’ includes the parents or lawful guardian(s) of such a child.

BILL PROTECTS PERSONAL DATA ?

Firms scraping data from social media can only take data that has been posted by the user themselves.
If the data is posted by a third person, however, firms will need to obtain permission for scraping this data.
The bill also restricts storage and processing of personal user data, beyond what a user explicitly gave consent for.
This can significantly complicate the consent-taking procedure that most companies follow right now.
Hence, while it does permit personal data usage, it also limits it.
However,exemptions afforded to companies to withhold personal data for law enforcement could be misused.

MECHANISM OF COMPLAINTS:

The Telecom Disputes Settlement and Appellate Tribunal under a Data Protection Board will handle grievances.
This has raised questions. Some question if the body has the expertise to assess and gauge the impact of breach of consent of personal data.
Others cite this as a missed opportunity to set up a dedicated authority to handle grievances.

CHILD SAFETY VIS-A-VIS DPDP BILL:

Under section 9(5), on processing personal data of children, the age at which users are determined as ‘children’ is not held constant at 18.
Companies may process personal data of children if it is “done in a manner that is verifiably safe”.
This could be important, since the bill does take into account modern-day internet usage by children.
However, the definition of “verifiably safe” data processing is up for debate—although the bill bans tracking underage internet users and advertisements targeting them.

SYLLABUS: MAINS, GS-2, INDIAN POLITY

SOURCE: PRS India

Any Doubts ? Connect With Us.

For Latest Updates & Daily Current Affairs