Digital Personal Data Protection Bill, 2023: A Must-Know how for HR!!
The Digital Personal Data Protection Bill, 2023, gives the government powers to exempt state agencies from the law and gives users the right to correct or erase their personal data.
Digital Personal Data Protection Bill, 2023 must have known to HR
The Government of India passed a data protection bill on Wednesday that would oversee how internet companies manage users’ data, despite complaints that it will likely lead to increased government surveillance.
The law will allow companies to transmit some users’ data abroad, while also giving the government the authority to collect information from businesses and issue orders to restrict content based on the opinion of a federally constituted data protection board.
What you need to know?
The bill seeks to update existing data protection laws, which are mostly implemented under Section 43A of the Information Technology Act of 2000. The Data Protection Bill includes a safeguard for digital personal data, protecting information that can be used to identify persons.
This includes the duties of data fiduciaries—individuals, businesses, and government agencies that process data—and includes data collecting, storage, and related operations. It also defines the rights and responsibilities of Data Principals, or the individuals to whom the data relates.
According to a government statement, the Bill aspires to implement data protection law with minimal disruption while assuring required change in the way Data Fiduciaries use data; improve the Ease of Living and the Ease of Doing Business; and Enable India’s digital economy and its innovation ecosystem.
Principles of the Bill
The foundation of the Bill is built on important concepts such as requiring consent for data usage, limiting data to its intended purpose, collecting only required information, guaranteeing data accuracy, preserving data for as long as necessary, emphasizing security, and enforcing responsibility through penalties for violations.
Individuals are granted rights such as access to processed personal data, data correction and erasure, grievance redressal, and the option to choose a representative to exercise rights in the event of death or incapacity.
Obligations on the data fiduciary
Data fiduciaries must protect personal data, notify affected individuals and the Data Protection Board of breaches, delete data when no longer needed or upon consent withdrawal, set up a grievance system, and perform additional duties for Significant Data Fiduciaries, such as appointing a data auditor and conducting regular Impact Assessments.
Exemptions are specified in the Bill, including those for security, research, startups, legal rights enforcement, judicial or regulatory tasks, preventing, detecting, or prosecuting offenses, processing non-resident data under foreign contracts, approved mergers or demergers, and locating defaulters and their financial assets.
The Bill provides for the below pointing obligations on the data fiduciary
- To have security controls in place to avoid a breach of personal data;
- To notify the affected Data Principal and the Data Protection Board of any personal data breaches;
- To destroy personal data when it is no longer required for the indicated purpose;
- To delete personal data when consent is withdrawn;
- To have a grievance redressal procedure in place, as well as an official to react to inquiries from Data Principals; and
- To meet certain additional requirements in relation to Data Fiduciaries who have been designated as Significant Data Fiduciaries, such as employing a data auditor and completing periodic Data Protection Impact Assessments, in order to provide a higher level of data protection.
The Digital Personal Data Protection Bill, 2023 gives the government powers to exempt state agencies from the law and gives users the right to correct or erase their personal data.
The new legislation comes after India withdrew a 2019 privacy bill that had alarmed tech companies like Facebook and Google with its proposals for stringent restrictions on cross-border data flows.
The law proposes penalties of up to 2.5 billion rupees ($30 million) for violations and non-compliance.
However, it has drawn criticism from opposition lawmakers and rights groups over the scope of exemptions.
The Internet Freedom Foundation, a digital rights group, has also said that the law does not contain any meaningful safeguards against “over-broad surveillance”, while the Editor’s Guild of India has said it affects press freedom and dilutes the Right to Information law.
Deputy minister for information technology Rajeev Chandrasekhar has said that the law will protect the rights of all citizens, allow the innovation economy to expand, and permit the government legitimate access in the case of national security and emergencies like pandemics and earthquakes.
- Vrunda Thakkar on HR Strategies to retain top talent in the competitive market - December 12, 2024
- 3 Work Problems HR Can’t Solve for You: Insights from an HR Professional - November 11, 2024
- Germany’s 4-Day week trial offers interesting results - October 21, 2024