Data Protection Bill - Explained
Pradeep Agarwal
CTO | CMO | Strategic Technology Leader | Cybersecurity Expert | GDPR & Data Privacy Expert | GenAI | HRMS Solutions
This bill aims to safeguard personal data and protect the privacy of individuals. It establishes guidelines for the processing of digital personal data within India, whether collected online or offline and subsequently digitized. Additionally, the bill extends its applicability to the processing of personal data outside India if it involves offering goods or services in India. Personal data, as defined by the bill, refers to any data that can identify an individual or is related to their identity. Processing, on the other hand, encompasses various automated operations performed on digital personal data, including collection, storage, use, and sharing.
Consent and its Importance
The bill emphasizes the significance of obtaining consent from individuals before processing their personal data for any lawful purpose. To ensure transparency, a notice must be provided to individuals, detailing the personal data to be collected and the purpose of processing. Individuals have the right to withdraw their consent at any time.
For individuals below 18 years of age, consent must be obtained from their parent or legal guardian.
Rights and Duties of Data Principals
These rights include the right to obtain information about the processing of their data, the right to request correction and erasure of personal data, the right to nominate someone to exercise their rights in case of death or incapacity, and the right to seek grievance redressal. Violation of these duties may result in a penalty of up to Rs 10,000.
Obligations of Data Fiduciaries
Data fiduciaries, the entities responsible for determining the purpose and means of processing, have several obligations under the bill. They must make reasonable efforts to ensure the accuracy and completeness of data, establish adequate security safeguards to prevent data breaches, inform the Data Protection Board of India and affected individuals in case of a breach, and erase personal data once the purpose of processing has been fulfilled and retention is no longer necessary for legal purposes. However, these obligations do not apply to government entities, exempting them from storage limitation and the right to erasure.
Recommended by LinkedIn
Exemptions and Cross-border Transfer
The bill also permits the transfer of personal data outside India, except to countries restricted by the government through notification.
The bill provides exemptions for certain cases where the rights of data principals and obligations of data fiduciaries (except data security) do not apply. The bill also permits the transfer of personal data outside India, except to countries restricted by the government through notification.
Significant Data Fiduciaries and Additional Obligations
Certain data fiduciaries may be designated as significant data fiduciaries based on factors such as the volume and sensitivity of personal data processed, risks to data principals' rights, security of the state, and public order. These significant data fiduciaries have additional obligations, including appointing a data protection officer and conducting impact assessments and compliance audits.
Data Protection Board of India and Penalties
The central Government will establish the Data Protection Board of India. Board members will serve a two-year term and may be re-appointed. The bill specifies penalties for various offenses, ranging from up to Rs 200 crore for non-fulfillment of obligations related to children's data to up to Rs 250 crore for failure to implement security measures to prevent data breaches.
Hiring Full Stack Java Developer, Digital Marketing Expert, Dot Net Developers | IT Staff Augmentation | Staffing & Recuitment | Contract-to-Hire
1yInformative