Syllabus: Government policies and interventions
Ensuring comprehensive data protection is paramount for accelerating India’s digital economy and the Digital Personal Data Protection Bill strikes a harmonious balance between flexibility and data privacy measures, industry apex body.
The Digital Personal Data Protection Bill (DPDP Bill)
It is a proposed law in India that would regulate the processing of personal data by both government and private entities. The bill was introduced in the Lok Sabha (lower house of Parliament) on August 3, 2023.
The DPDP Bill sets out a number of rights for individuals, including the right to:
- Know what personal data is being collected about them and how it is being used
- Rectify or delete inaccurate or outdated personal data
- Object to the processing of their personal data for certain purposes
- Port their personal data to another data fiduciary
The bill also sets out a number of obligations for data fiduciaries, including the obligation to:
- Obtain consent from individuals before collecting or processing their personal data
- Use personal data only for the purposes for which it was collected
- Keep personal data secure
- Delete personal data when it is no longer needed
The DPDP Bill has been met with mixed reactions.
Some have welcomed the bill as a necessary step to protect the privacy of individuals in India. Others have raised concerns about the bill’s potential impact on businesses and the digital economy.
The bill is still under consideration by Parliament, and it is not yet clear when it will be passed into law. However, the DPDP Bill is an important step in the development of data protection law in India.
Here are some of the key features of the DPDP Bill:
- The bill applies to the processing of digital personal data within India, as well as the processing of digital personal data outside India if it is for offering goods or services to individuals in India.
- The bill defines personal data as any information that can be used to identify an individual, such as their name, address, phone number, email address, or biometric data.
- The bill requires data fiduciaries to obtain consent from individuals before collecting or processing their personal data. Consent can be express or implied, but it must be freely given, specific, informed, and unambiguous.
- The bill allows individuals to access their personal data, request that it be corrected or deleted, and object to its processing for certain purposes.
- The bill requires data fiduciaries to take measures to protect the security of personal data, such as using encryption and access controls.
- The bill establishes the Data Protection Authority of India (DPAI) as an independent body to oversee the implementation of the bill. The DPAI will have the power to investigate complaints, impose fines, and take other enforcement actions.