In a historic move, India witnessed a significant stride towards safeguarding citizens’ privacy as President Draupadi Murmu granted her assent to the Digital Personal Data Protection (DPDP) Bill on August 11, 2023. With this landmark development, India now possesses dedicated legislation to ensure the protection of personal data, a vital aspect in today’s digital age.
Safeguarding Citizens’ Privacy: A Long-Awaited Achievement
The DPDP Bill’s journey to becoming law was marked by anticipation and deliberation. After receiving approval from the Lok Sabha on August 7 and subsequently from the Rajya Sabha on August 9, the bill emerged as a comprehensive document addressing citizens’ privacy concerns. This legislation, a critical milestone, outlines stringent guidelines for the utilization of individuals’ data, whether by private entities or governmental bodies.
Navigating the Road Ahead: Rule-Making and Implementation
Now that the DPDP Law stands enacted, the government’s next step involves initiating the rule-making process. While the law itself provides a legislative framework, the rule-making process will refine and define its intricacies. One such instance is the identification of countries to which data transfers are prohibited. The rule-making procedures will meticulously set the criteria guiding the inclusion of countries in this data transfer restriction list.
Engaging Stakeholders: An Inclusive Approach
As this momentous law takes shape, industry voices are actively engaging with the government. Their aim? To advocate for an open rule-making process that includes thorough consultations with stakeholders. By involving various perspectives, India seeks to create a well-rounded and effective data protection framework that balances privacy concerns with innovation.
A Journey Towards Privacy: From 2016 to Today
The journey towards India’s data protection law began when the Supreme Court upheld the Right to Privacy as fundamental in 2016. Subsequently, a Personal Data Protection (PDP) Bill was introduced in 2018, followed by tabling in 2019. This bill underwent meticulous scrutiny by a joint parliamentary committee over two years. The culmination came in December 2021, when the committee presented its report and an amended PDP Bill.
A New Chapter Unfolds: DPDP Bill’s Evolution
In 2022, the government’s decision to withdraw the PDP Bill was met with curiosity. Citing compliance-related reasons, the government took a new approach, culminating in the Digital Personal Data Protection Bill’s unveiling. In July, the cabinet’s approval paved the way for the bill to be tabled during the ongoing monsoon session, ultimately leading to its recent enactment.
As India embarks on this journey of data protection, citizens and stakeholders alike eagerly anticipate the law’s impact on enhancing privacy rights and digital security, as well as fostering responsible data practices in the nation’s technological landscape.
On whom and on what type of data does the DPDP Bill apply?
The Bill, as it is known, will apply to personal data gathered in India in digital form, as well as non-digital material that is later digitized.
It will also apply to Indian individuals whose personal information is transferred to foreign nations in order to get products or services.
Who can process your personal data?
The phrase ‘data fiduciary’ is used in the Bill to describe persons who can process a person’s data. Data fiduciaries can be anyone, including public and commercial entities, who gathers and handles personal data.
Will platforms be obliged to safeguard data that is stored with them?
Yes. According to the Bill, a data fiduciary will protect personal data in its ownership or control by implementing adequate security protections. This includes information processed by a third party. If a data breach occurs, the platform must notify both the user and the personal data protection regulator.
Can you ask platforms to give access to or erase your personal data stored with it?
Yes. Users can ask a platform to provide a summary of the data being processed if they have consented to the processing of that data.
A user can also request that the platform reveal the identities of any other platforms and data processors with whom data has been shared.
This provision, however, does not apply if the data exchange was done “for the purpose of prevention and detection” of crimes.
Similarly, a user can request that a platform erase, alter, or update personal data kept on it.
What are your duties as a user?
Aside from establishing severe terms governing how a body may treat a person’s data, the Bill assigns some “duties” to a user. To begin, a user cannot impersonate another person when submitting data, and the user cannot “suppress any material information” while supplying personal data for any government-issued identity.
The bill also requires users to provide “verifiably authentic” information if they want to edit or delete data held on a platform.
Also read: साइबर अटैक से सुरक्षा देगी डिफेंस मिनिस्ट्री की स्वदेशी विंडोज ‘माया’, जानें क्या है इसमें खास!
