The Digital Personal Data Protection (DPDP), 2022, bill was approved by the Union Cabinet on Wednesday. A draft of the bill was introduced in November last year and now it is expected to be tabled in the parliament during the Monsoon Session.

What is the Digital Personal Data Protection Bill about?

COMMERCIAL BREAK
SCROLL TO CONTINUE READING

The Digital Personal Data Protection Bill was first introduced in 2019 and aims to safeguard personal data of Indian citizens. It states how data should be stored, processed, and protected. The bill specifies obligations of data fiduciary for processing digital personal data and states practices they must follow to prevent data breach. It also defines consent of the data principal to provide such information. 

“The purpose of this Act is to provide for the processing of digital personal data in a manner that recognizes both the right of individuals to protect their personal data and the need to process personal data for lawful purposes, and for matters connected therewith or incidental thereto,” the draft bill states.

What are the provisions under the bill?

According to the draft Digital Personal Data Protection Bill, a person must process the personal data of a data principal only in accordance with the provisions of the DPDP Act. The draft also says that the data must be collected for a lawful purpose after taking consent of the provider. The person collecting the data must also give a notice “in clear and plain language” containing the type of personal data sought and the purpose.

However, a person would be deemed to have given his consent for the processing of personal data in certain cases. These include compliance with any judgement or order issued under any law, in cases of medical emergencies, for providing medical treatment to an individual during an epidemic, and to ensure the safety of the individual during disaster or breakdown of public order among others.

According to the draft bill, a data fiduciary will be obligated to protect the personal data collected by it and must inform the Data Protection Board and each affected data principal in case of a data breach.

The data fiduciary must also “cease to retain personal data, or remove the means by which the personal data can be associated with particular Data Principals” after ensuring that the purpose for which the data was collected is longer being served and retention of the data is no longer needed.

The bill also proposes to impose a penalty of up to Rs 250 crore on data fiduciary for failure to prevent personal data breach.

What are the concerns on the personal data protection bill

The Digital Personal Data Protection Bill provides exemptions to law enforcement agencies and courts from certain key requirements.  It says that the provisions would not apply if the processing of personal data is “necessary for enforcing any legal right or claim”, if the processing is done by any court, or done “in the interest of prevention, detection, investigation or prosecution of any offence or contravention of any law”.

RTI activists have also highlighted that the bill tends to dilute the provisions of the Right to Information Act as it will restrict government departments from sharing personal information of public office holders.