New Delhi(India): The Digital Personal Data Protection Bill 2022 has been published by the Department of Electronics and Information Technology (MeitY). The government is now seeking public comment and consultation on the bill.
The bill is supposed to outline the rights and duties of “digital nagriks” or citizens while defining the process and rules for collecting data concerning businesses.
The bill also imposes heavy penalties for breaching any provision of the legislation, which will be decided by the Indian Data Protection Board as established by the new law. However, council orders can be challenged in a High Court
According to an explanatory note for the bill, it is based on seven principles. The first is that “usage of personal data by organisations must be done in a manner that is lawful, fair to the individuals concerned and transparent to individuals.”
This third principle concerns data minimisation, while the fourth emphasizes data accuracy regarding collection.
The fifth principle discusses how personal data collected cannot be “stored perpetually by default,” and storage should be limited to a fixed duration.
The sixth principle notes that there should be reasonable safeguards to ensure “no unauthorised collection or processing of personal data.”
Finally, the seventh principle “is that the person who decides the purpose and means of processing personal data should be accountable for such processing.”
Data Principal and Data Fiduciary
The bill uses the term “Data Principal” to denote the individual whose data is being collected.
The term “Data Fiduciary” refers to the entity (can be an individual, company, firm, state etc.), which decides the “purpose and means of the processing of an individual’s data.
The law also recognises that in the case of children –defined as all users under the age of 18— their parents or lawful guardians will be considered their ‘Data Principals.’
Under the law, personal data is “any data by which or about which an individual can be identified.” Processing means “the entire cycle of operations that can be carried out in respect of personal data.” So right from collection to storage of data would come under processing as per the bill.
The bill also ensures that individuals should be able to “access basic information” in languages specified in the eighth schedule of the Indian Constitution.
The bill also clarifies that individuals need to consent before their data is processed and that “every individual should know what items of personal data a Data Fiduciary wants to collect and the purpose of such collection and further processing.”
Further, the notice of data collection needs to be in clear and easy-to-understand language. Individuals also have the right to withdraw consent from a Data Fiduciary.