Most of us by now have heard of the GDPR (General Data Protection Regulation) that Europe enacted back in 2018. It seemed to kick off a domino effect with many US states forging ahead on their own rather than waiting for federal regulation to come out, shout out to California. And while we try to piece together, at some point, 50 different state requirements another country passed their own consumer data privacy law. Here to give a warm welcome, because that’s what we do around here, to INDIA!
Last week India signed into law The Digital Personal Data Protection Bill or the DPDPB. The personal data bill took approximately 6 years to come to fruition with several versions before it. What I find pretty cool about the bill is that it provides multiple examples of situations and how the bill would apply to those situations in terms of personal data privacy.
X, an individual, gave her consent to the processing of her personal data for an online shopping
app or website operated by Y, an e-commerce service provider, before the commencement of this Act. Upon commencement of the Act, Y shall, as soon as practicable, give through email, in-app notification or other effective method information to X, describing the personal data and the purpose of its processing.
(3) The Data Fiduciary shall give the Data Principal the option to access the contents of the notice referred to in sub-sections (1) and (2) in English or any language specified in the Eighth Schedule to the Constitution.
(1) The consent given by the Data Principal shall be free, specific, informed, unconditional and unambiguous with a clear affirmative action, and shall signify an agreement to the processing of her personal data for the specified purpose and be limited to such personal data as is necessary for such specified purpose.
Data fiduciary means any person who alone or in conjunction with other persons determines the purpose and means of processing of personal data. Think of this as the “controller” role when it comes to US state privacy laws. And similarly, here in the US, they have a multitude of requirements to comply with when it comes to consumer data, except there seems to be a little more government oversight into companies taking in copious amounts of data, and with that, they are given additional requirements to meet. Here are some of the Data Fiduciary requirements at a high level.
- a lawful purpose,—
- (a) for which the Data Principal has given her consent; or
- (b) for certain legitimate uses.
- consent shall be accompanied or preceded by a notice given by the Data Fiduciary to the Data Principal, informing her,—
- (i) the personal data and the purpose for which the same is proposed to be processed;
- (ii) the manner in which she may exercise her rights under sub-section (4) of section 6 and section 13; and
- (iii) the manner in which the Data Principal may make a complaint to the Board, in such manner and as may be prescribed
- The consent given by the Data Principal shall be free, specific, informed, unconditional and unambiguous with a clear affirmative action, and shall signify an agreement to the processing of her personal data for the specified purpose and be limited to such personal data as is necessary for such specified purpose.
- A Data Fiduciary shall, irrespective of any agreement to the contrary or failure of a Data Principal to carry out the duties provided under this Act, be responsible for complying with the provisions of this Act and the rules made thereunder in respect of any processing undertaken by it or on its behalf by a Data Processor
- The Data Fiduciary shall, before processing any personal data of a child or a person with disability who has a lawful guardian obtain verifiable consent of the parent of such child or the lawful guardian, as the case may be, in such manner as may be prescribed.
- The Central Government may notify any Data Fiduciary or class of Data Fiduciaries as Significant Data Fiduciary, on the basis of an assessment of such relevant factors as it may determine, including
- (a) the volume and sensitivity of personal data processed;
- (b) risk to the rights of Data Principal;
- (c) potential impact on the sovereignty and integrity of India;
- (d) risk to electoral democracy;
- (e) security of the State; and (f) public order.
While a Data Principal means the individual to whom the personal data relates and where such individual is (i) a child, includes the parents or lawful guardian of such a child; (ii) a person with disability, includes her lawful guardian, acting on her behalf and is entitled to the following rights. A Data Principal is the consumer who provides their information. They are afforded the following rights:
- Data Principals shall have the right to obtain from Data Fiduciary’s who they have previously given consent
- (a) a summary of personal data which is being processed by such Data Fiduciary and the processing activities undertaken by that Data Fiduciary with respect to such personal data;
- (b) the identities of all other Data Fiduciaries and Data Processors with whom the personal data has been shared by such Data Fiduciary, along with a description of the personal data so shared; and
- (c) any other information related to the personal data of such Data Principal and its processing, as may be prescribed
- the right to correction, completion, updating and erasure of her personal data for the processing of which she has previously given consent
- the right to have readily available means of grievance redressal provided by a Data Fiduciary or Consent Manager in respect of any act or omission of such Data Fiduciary or Consent Manager regarding the performance of its obligations in relation to the personal data of such Data Principal or the exercise of her rights under the provisions of this Act and the rules made thereunder.
- the right to nominate, in such manner as may be prescribed, any other individual, who shall, in the event of death or incapacity of the Data Principal, exercise the rights of the Data Principal in accordance with the provisions of this Act and the rules made thereunder.
- A Data Principal shall perform the following duties, namely:—
- (a) comply with the provisions of all applicable laws for the time being in force while exercising rights under the provisions of this Act;
- (b) to ensure not to impersonate another person while providing her personal data for a specified purpose;
- (c) to ensure not to suppress any material information while providing her personal data for any document, unique identifier, proof of identity or proof of address issued by the State or any of its instrumentalities;
- (d) to ensure not to register a false or frivolous grievance or complaint with a Data Fiduciary or the Board; and
- (e) to furnish only such information as is verifiably authentic, while exercising the right to correction or erasure under the provisions of this Act or the rules made thereunder.
The fines range from ten thousand rupees ($120) and for the most severe violation of a data breach two hundred fifty crore rupees, which according to Google is 2.5 billion US dollars.
There you have it folks, some of the key parts of India’s new Digital Personal Data Protection Bill.