9 August 2023, Mumbai: Bringing India closer to its first data protection law, the Digital Personal Data Protection Bill was passed by the Rajya Sabha on August 9 with a voice vote. The bill will become law after President Draupadi Murmu grants her assent.
The bill was presented for passage in the upper house of the Parliament by Minister for Electronics and Information Technology Ashwini Vaishnaw.
Earlier on August 7, the bill was passed by the Lok Sabha.The law has been sought by various sections of society ever since the Supreme Court deemed the Right to Privacy as fundamental – with reasonable restrictions – in 2016.
Personal Data Protection Bill A Personal Data Protection (PDP) Bill was introduced in 2018 and tabled in 2019, after which it was referred to a joint parliamentary committee. The panel studied the bill for two years and presented its report and a modified PDP Bill in December 2021.
But in 2022, the government withdrew the PDP Bill, citing compliance-related reasons and came out with the Digital Personal Data Protection Bill after a few months. The cabinet approved the bill in July, clearing its way to be tabled in the ongoing monsoon session.
On whom and on what type of data does the DPDP Bill apply?
The Bill, as it is named, will apply to personal data collected in India in a digital format, and in a non-digital format, if it is subsequently digitised.It will also apply to Indian citizens whose data is transferred to other countries for availing any goods or services.
On what type of data is the Bill not applicable?
It will not apply on personal data, available publicly. The Bill provides an illustration of this, which says: “X, an individual, while blogging her views, has publicly made available her personal data on social media. In such cases, the provisions of this Act shall not apply.”
Who can process your personal data?
The Bill uses the term ‘data fiduciary’ to describe those who can process a person’s data. Data fiduciaries can be anybody, including public and private bodies, that collects personal data and processes it.
When can data fiduciaries (private and public bodies) process your data?
A private entity, like a social media platform, or a government body can only process personal data after the person concerned has given her consent. The reason for processing a person’s data has to be within law.
Accompanied with consent, users will also receive a “notice” from platforms, in English or in any of the major languages of the country. This notice will state the exact personal data of the user that is going to be processed, the purpose, process of grievance redressal, and so on.
On the other hand, public or private entities, in specific cases, can also process personal data without consent.·
The government can process one’s data to provide subsidy, benefit, service, certificate, licence or permit·
The government can process a person’s data “for any function under any law.. in the interest of sovereignty and integrity of India or security of State”.
For fulfilling any obligation under any law·
For complying with any judgement of a court·
For responding to a medical emergency·
For taking measures in cases of a disaster, or “breakdown of public order”.·
For employment purposes such as safeguarding employers from loss or liability
The DPDP Bill, which defines a child as someone below the age of 18, mandates that parental consent is required to process the data of a child. The Bill also puts a bar on tracking children or behavioural monitoring or targeted advertising at children.
By ASC Priya