How the Data Protection Act will impact you, personally

The Act mandates that digital platforms get user permission before using their personal information.
Image used for representational purposes only
Image used for representational purposes only
Updated on
6 min read

NEW DELHI: After years of deliberations and several drafts, a comprehensive digital personal data protection law is closer to reality. The Ministry of Electronics and Information Technology released its regulations on the draft of the Digital Personal Data Protection Rules on January 5. The Act, which outlines how companies and government agencies should handle digital personal data, is open for consultation until February 18.

The Act was first introduced in the Lok Sabha on August 3, 2023, and was passed in the Lower House on August 7. It was then introduced in the Rajya Sabha on August 9 and passed the same day. It became the Digital Personal Data Protection (DPDP) Act, 2023, following the President's approval on August 11. The DPDP Act applies only to data processed digitally and does not apply to analogue data processing.

Why do we need a data protection law

Over the past decade, India has experienced exponential growth in digital adoption, with millions of people relying on online services and social media platforms for various aspects of their lives. The absence of a comprehensive data protection law in India has left citizens vulnerable to data breaches, identity theft, and other forms of cyber exploitation. The DPDP Act 2023 aims to address these concerns by providing a clear framework for data protection. It ensures that companies obtain permission before collecting and using personal data. It also mandates that they collect only the data necessary for their operations and take adequate measures to keep personal data safe and secure.

Built-in protection

The Act mandates that digital platforms get user permission before using their personal information. These platforms must also provide clear ways for users to withdraw their consent, access information about how their data is being used, update or delete their data, address grievances, nominate representatives, and file complaints with the Data Protection Board (DPB). Platforms can also use independent consent managers to help collect and manage user permissions. In the event of a data leak, companies must inform individuals within a specified timeframe about its extent and the steps to contain it.

Working process

A data principal — any child or adult — gives consent through a consent manager. A consent manager is a registered person or entity with the DPB, acting as a single point of contact to help individuals give, manage, review, and withdraw consent using an accessible, transparent, and interoperable platform. The consent manager serves as an intermediary to facilitate the consent process. This role is similar to that of account aggregators under the Reserve Bank of India’s guidelines.

The content so collected is processed by  a data fiduciary, which is any person or organisation that determines the purpose and means of processing personal data. Non-compliance with the DPDP Rules could result in fines ranging from Rs 50 crore to Rs 250 crore, depending on the severity of the violation, as outlined in the DPDP Act.

Data retention span

Under the provisions, if a data fiduciary processes personal data for various purposes and the data principal (individual) does not interact with the fiduciary within a specified period, the personal data must be erased unless required for legal compliance. The retention period varies depending on the type of data fiduciary, such as e-commerce platforms, online gaming intermediaries, or social media companies.

These entities can retain personal data for up to three years from the last interaction or the effective date of the rules, whichever is later, unless the data is needed for account access or virtual tokens.

Before erasing the data, companies must notify individuals at least 48 hours in advance, allowing them to log in or contact the fiduciary if they wish to retain their data.

Significant data fiduciaries

The Act outlines specific responsibilities for significant data fiduciaries, which include companies like Facebook, Instagram, Twitter, YouTube, Google, Bing, and e-commerce platforms such as Amazon and Flipkart. These entities process large volumes of personal data, have a significant impact on individuals' rights, or operate in critical sectors. The key obligations for significant data fiduciaries include regularly assessing the risks to individuals' rights from their data processing activities, conducting annual audits, and reporting to the Data Protection Board and other relevant authorities.

Data Protection Board

To ensure the proper implementation of the DPDP Act, the government will establish a Data Protection Board (DPB). The board will play a key role in balancing the rights of individuals (data principals) and the responsibilities of companies (data fiduciaries). The DPB will mainly operate online, focusing on efficiency and accessibility. It will handle complaints about data breaches, ensure companies follow data protection rules, and monitor companies for compliance.

If a company fails to comply, the board can issue orders, suspend their operations, or revoke their registration.

Individuals unhappy with the DPB’s decisions can approach the appellate tribunal. Appeals must be filed digitally.

Data breach

According to the Act, when a data fiduciary becomes aware of a personal data breach, it must promptly notify all affected data principals or individuals. The notification must be clear and straightforward, explaining the nature, extent, and timing of the breach, along with the potential consequences for those affected.

The company must also inform individuals of the measures taken to mitigate risks and provide recommendations for protecting their data.

The data fiduciary is also required to notify the data protection board without delay. They must also report on the remedial steps being taken to prevent future breaches and the details of notifications sent to the affected data principals.

Child data

The DPDP Act mandates that children under the age of 18 need parental consent to create accounts on social media platforms like Meta, Tinder or YouTube. Social media companies must verify the age of minors and the identity of their parents or guardians when obtaining consent.

The Act proposes two methods for verifying parental consent. If the parent already uses the platform, it can rely on the parent’s existing age and identity information. For example, if a child wants a YouTube account and the parent has a verified YouTube account, the platform can use the parent's information to verify their identity. If the parent does not use the platform, the child’s identity and the parent's consent can be verified through an authorised entity, such as a government body or a digital locker service.

Minister of Electronics and Information Technology, Ashwini Vaishnaw, explained that companies could use virtual tokens linked to a parent's identity and age, which would be voluntarily provided by the parent. These tokens will be created by the industry itself and could be linked to multiple forms of identity, depending on how the system evolves over time.

There are a few exceptions, including that healthcare professionals can process a child’s data without parental consent when it's necessary to provide health services or protect the child’s health. Educational institutions can also process data for educational purposes. Similarly, entities providing subsidies, benefits, certificates, or licenses can process a child’s data to provide those services. Failure to comply with the safeguards can result in a fine of up to Rs 200 crore.

The exemptions

Under the Act, the government is granted exemptions to process personal data, including that of minors, for specific purposes. These include providing subsidies, benefits, services, certificates, licenses, or permits by the state and its instrumentalities. However, government agencies must adhere to strict standards when processing such data.

These standards include limiting data processing to what is necessary for specific purposes, retaining personal data only for as long as required, and ensuring reasonable security measures to prevent data breaches. The provisions of the Act shall not apply to the processing of personal data necessary for research, archiving, or statistical purposes if it is carried on in accordance with the standards specified in the Second Schedule of the Constitution.

Processing data outside India

The Act regulates the transfer of personal data outside India. If a data fiduciary processes personal data in India or abroad while offering goods or services to people in India, they must follow certain rules. The fiduciary must meet requirements set by the Central government, which can be issued through general or special orders. These rules control how personal data can be shared with foreign countries, organisations, or their agencies, ensuring that the privacy of Indian citizens is protected.

Related Stories

No stories found.

X
The New Indian Express
www.newindianexpress.com