The Bill, which comes after six years of the Supreme Court declaring “Right to Privacy” as a fundamental right, has provisions to curb the misuse of individuals’ data by online platforms.
After passage of the Bill, Union minister for electronics & information technology Ashwini Vaishnaw said: “140 crore citizens who use digital means for accessing so many services will get data protection legislated by the Parliament … With this bill, the digital world will become safer, more trustworthy and it will have a significant impact on common citizens’ lives.”
Minister of State for electronics and IT Rajeev Chandrasekhar
said: “The Digital Personal Data Protection Bill is passed by Parliament today … My engagement on the issue of privacy started in 2010 and led to me filing a case in the Supreme Court as a petitioner that fought and succeeded in order that Privacy is a fundamental right,” he posted on X (formerly Twitter).
Here is all you need to know about the new legislation:
According to the Centre, the Bill is an attempt to create a comprehensive data privacy law. It is part of a group of legislations, including the National IT Governance Framework Policy and a new Digital India Act.
According to the legislation, the aim of PDPB “is to provide for the processing of digital personal data in a manner that recognises both the right of individuals to protect their personal data and the need to process personal data for lawful purposes, and for matters connected therewith or incidental thereto.”
- The PDPB applies to digital personal data processed in India and excludes any personal data that is not digitised and offline personal data.
- It also applies to any entity that processes personal data outside India but relates to any data principal within India.
- There is a provision in the Bill for creating the Data Protection Board of India (DPB), which will be the first regulatory body in India focused on protecting personal data privacy.
- The DPB will oversee compliance and impose penalties on non-compliant organizations.
The new law also establishes numerous rights of citizens, known as Data Principals:
- Right to information: This gives data principals the right to information about the processing of their personal data and a summary of their personal data
- Right to withdraw consent: Data principals have the right to withdraw consent if they decide they don’t want their data to be processed. They also have the right to know if their data has been shared with a third party.
- Right to correction and erasure: Data principals have the right to correct inaccuracies in their personal data and the right to request erasure of their personal data.
- Right of grievance redressal: This gives data principals the right to register a grievance with the data fiduciary. Should the fiduciary not respond or provide an unsatisfactory response, data principals have the right to escalate a grievance to the Data Protection Board.
The Bill enumerates some obligations of Data Principals, including not providing false information, filing false complaints.
Meanwhile, data-holding companies have numerous responsibilities under the new law
- They must clearly explain to data principals what personal data the data fiduciary wants to collect and the purpose of collecting the data
- Obtain informed consent to collect an individual’s personal data
- Allow data principals to withdraw consent at any time
- Allow data principals to correct, update, or request erasure of personal data where it is no longer needed
- Take steps to ensure that data processed is accurate and complete
- Implement appropriate security measures to prevent personal data breaches
- Only retain an individual’s data as long as it is needed for the purpose it was collected
- Notify the Data Protection Board and all data principals impacted if a data breach occurs
- Implement a contract before sharing or transferring data to another fiduciary or to a data processor
Additionally, some larger data organisations will also be required to appoint a data protection officer, and an independent auditor to conduct periodic audits to ensure ongoing compliance.