The Ministry of Electronics and IT (MeitY) on Friday released the draft Digital Personal Data Protection Bill 2022, that seeks to outline the rights of individuals when it comes to sharing their data and the legal use of such data by companies.
This comes months after the government withdrew the controversial Personal Data Protection Bill 2019 in August this year. It was withdrawn on recommendations by the Joint Committee of Parliament amid severe scrutiny and criticism.
The government said that with the current draft bill, citizens can make suggestions and provide feedback. It said, "No public disclosure of the submissions will be made."
Here are the key takeaways from the Digital Personal Protection Bill, 2022:
Individuals Must Give Consent, Be Informed Of Data Usage
An organisation or a company, the bill says, can collect data from an individual only through the rules and legalities outlined in the bill and for purposes that are not forbidden by the law.
Companies would be required to notify individuals for submitting their data. Requests for consent need to be given to the individual "in a clear and plain language" a description of personal data that is being collected "and the purpose for which such personal data has been processed".
In case the data is shared with a third party, the company will also be responsible for stopping the third party from processing the data. The bill cites an example, "'A' subscribes to an e-mail and SMS-based sales notification service operated by 'B'. As part of the subscription contract, 'A' shares her personal data including mobile number and e-mail ID with 'B' which shares it further with 'C', a Data Processor for the purpose of sending alerts to 'A' via email and SMS. If 'A' withdraws her consent to processing of her personal data, 'B' shall stop and cause 'C' to stop processing the personal data of 'A'."
Companies are obliged to delete data after closure of account
According to the new bill, organisations must delete the personal data of individuals when the reason for obtaining the data ceases to exist and the retention of data is not required for "legal or business purposes".
For example social media platforms must delete personal data provided by a user while creating an account when they delete the account. In the case of banks, it can retain KYC details of a customer after closure of the bank account only for a prescribed period.
Individuals must be informed of data breach
Organisations or companies that store personal data of individuals must take required safety measures to protect it from being leaked or breached.
The draft bill states, "In the event of a personal data breach, the Data Fiduciary or Data Processor as the case may be, shall notify the Board and each affected Data Principal, in such form and manner as may be prescribed."
Obtaining data of minors
Every organisation that needs to collect personal data of minors must do so with the consent of their parents. The draft law defines children as those below the age of 18 years. The draft law says that organisations and companies are forbidden from any processing of the data that may harm children.
The draft law also forbids organisations from undertaking any "tracking or behavioural monitoring of children or targeted advertising directed at children".
Right to information, erasure of data
According the this draft bill, an individual can approach the organisation or company that they have provided their personal data to and ask them to provide a summary of their personal data, if it has been processed or is being processed, who the data has been shared with and which bits of the data has been shared.
An individual will also be within their rights to ask the company to correct or erase their personal data if required. The law states when requested for correction or erasure a company must "(a) correct a Data Principal's inaccurate or misleading personal data; (b) complete a Data Principal's incomplete personal data; (c) update a Data Principal's personal data; (d) erase the personal data of a Data Principal that is no longer necessary for the purpose for which it was processed unless retention is necessary for a legal purpose".
All Genders Referred To As She/Her
In a first, the government has drafted the a bill where all individuals of every gender were referred to as she/her.
In an explanatory note, the government said, "For the first time in India's legislative history, "her" and "she" have been used to refer to individuals irrespective of gender. This is in line with the government's philosophy of empowering women."
