The Digital Personal Data Protection Bill: Rights, Obligations, Duties, and Special Provisions

The purpose of The Digital Personal Data Protection Bill is to provide for the processing of digital personal data in a way that recognizes both the right of individuals to protect their personal data and the necessity to process personal data for authorized purposes, as well as matters related to or incidental to those purposes.

Rights

1. Right to information about personal data 

A summary of the Data Principal’s personal data being processed or that has been processed by the Data Fiduciary, as well as the processing activities undertaken by the Data Fiduciary with respect to the Data Principal’s personal data; the identities of all Data Fiduciaries with whom the personal data has been shared, as well as the categories of personal data so shared; and any other information as may be prescribed.

2. Right to correction and erasure of personal data

A Data Principal has the right to have her personal data corrected and erased in line with existing legislation and in the way prescribed.

3. Right of grievance redressal

A Data Principal who is dissatisfied with a Data Fiduciary’s response to a grievance or who does not obtain a response within seven days or such a shorter period as may be prescribed may file a complaint with the Board in the manner prescribed.

4. Right to nominate

A Data Principal shall have the right to nominate, in the way prescribed, any other individual who shall, in the case of the Data Principal’s death or incapacity, exercise the Data Principal’s rights in accordance with the requirements of this Act.

Obligations

1. General obligations of Data Fiduciary

• be responsible for complying with the provisions of this Act
• personal data processed by or on behalf of the Data Fiduciary is accurate
• implement appropriate technical and organizational measures
• protect personal data in its possession or under its control by taking reasonable security safeguards
• in the event of a personal data breach, the Data Fiduciary shall notify the Board and each affected Data Principal
• remove the means by which the personal data can be associated with particular Data Principals
• publish the business contact information of a Data Protection Officer
• place a procedure and effective mechanism to redress the grievances of Data Principals

2. Additional obligations in relation to the processing of the personal data of children

• obtain verifiable parental consent in such manner as may be prescribed
•  not undertake such processing of personal data that is likely to cause harm to a child
• not undertake tracking or behavioral monitoring of children

3. Additional obligations of Significant Data Fiduciary

• The Central Government may notify any Data Fiduciary or class of Data Fiduciaries as Significant Data Fiduciary, on the basis of an assessment of relevant factors, including sensitivity and volume of data, risk of harm to Data Principal, the potential impact on the sovereignty and integrity of India, the risk to electoral democracy, security of the State, public order
• The Significant Data Fiduciary shall appoint a Data Protection Officer who shall represent the Significant Data Fiduciary under the provisions of this Act. Also, appoint an Independent Data Auditor who shall evaluate the compliance of the Significant Data Fiduciary and undertake such other measures including Data Protection Impact Assessment and periodic audits in relation to the objectives of this Act

Duties

• comply with the provisions of all applicable laws while exercising rights
• never register a false or frivolous grievance or complaint with a Data Fiduciary or the Board
• never furnish any false particulars or suppress any material information or impersonate another person
• furnish only such information as is verifiably authentic while exercising the right to correction or erasure

Special Provisions

1. Transfer of personal data outside India

After considering all relevant criteria, the Central Government may notify countries or territories outside India to which a Data Fiduciary may transmit personal data, subject to the limits and conditions indicated.

2. Exemptions

• The Central Government may, by notification, be exempt from the application of provisions of this Act because of interests of India’s sovereignty and integrity, security of the State, friendly relations with foreign States, maintenance of public order, or preventing incitement to any cognizable offense relating to any of these. Also if it is required for research, archiving, or statistical purposes
• The Central Government may notify certain Data Fiduciaries or classes of Data Fiduciaries as Data Fiduciary to whom certain provisions don’t apply

Follow us on Instagram- https://instagram.com/dissenttimes?igshid=YmMyMTA2M2Y=