The Indian economy has been digitalized as a result of Digital India, which has also changed governance generally and the lives of Indian citizens specifically. The use of technology and the internet has dramatically improved the lives of millions of Indians as well as their experience with governance. In addition to the numerous huge international Big Tech platforms that have a significant online presence.
The foundation of this burgeoning Digital Economy and eco-system of digital goods, services, and intermediaries is data, namely Personal Data. Over the past few years, it has become evidently clear that even while this data are used by platforms and intermediaries, they must nevertheless adhere to a set of guidelines and dos and don’ts. The Digital Personal Data Protection Bill is a piece of law that outlines the duty of the Data Fiduciary to use acquired data legitimately and the rights and responsibilities of the citizen (Digital Nagrik) on the one hand.
The following data economy principles form the foundation of the proposed legislation:
- The first guideline is that organizations will need to use personal data in a way that is legal, fair to the individuals involved, and transparent to individuals.
- The use of personal data for the purposes that they were gathered is the second pillar of purpose limitation.
- The third data minimization tenet is that just the personal information needed to achieve a specified goal should be collected.
- A reasonable effort is taken to guarantee that the individual’s personal information is correct and kept updated, which is the fourth rule of personal data accuracy.
- Personal data is not automatically saved indefinitely, which is the sixth storage limitation principle. The time of storage should be kept to a minimum to ensure that the stated reason for collecting the personal data is fulfilled.
- The sixth principle states that appropriate measures must be made to prevent the unauthorized gathering or handling of personal information. Intentionally protecting personal data is the goal here.
- The decision-maker for the method and end-goal of processing personal data should be held accountable for those decisions, according to the seventh principle.
Personal data privacy policies have been based on these ideas in many different jurisdictions. The practical application of such regulations has allowed a more sophisticated vision of personal data protection to emerge, one that balances the rights of the individual, the public interest, and the convenience of conducting business, particularly for startups.
Important Data Fiduciary Duties and Obligations
An entity that is not already defined or named by the current Indian law is referred to as a “Data Fiduciary.” Under the DPDP Bill, the term “Data Fiduciary” has been introduced to describe a person who, individually or jointly with others, “determines the intent and means of processing” personal data in accordance with Data Principles. This definition includes both natural persons (such as any individual) and artificial or juridical person persons (such as a company, firm, or other organization). In addition, the DPDP Bill establishes a distinction between a “Data Fiduciary” and a “Significant Data Fiduciary” and sets forth the necessary responsibilities and obligations for each.
The Bill has established the idea of a voluntary undertaking, which can be filed by any person who is a party to any issue (before the Board) with regard to obedience with the Bill’s provisions to undertake or prevent from undertaking a specific action within a defined period of time.
Right to be forgotten vs the right of corrections and erasure
The “right to be forgotten” of data subjects has been diminished by the Bill in its current version. While Chapter 3 of the Bill’s Provision 13 grants a data principal the right to the rectification and erasure of personal information, it also places restrictions on how they may exercise that right. The completion of such erasure is subject to the data no longer being required for the purposes for which it was collected, which implies that the data principal will have to waive their right to any service or good which would involve the data fiduciary to hold such information in order to assert such a right. Additionally, it is mentioned in the Bill’s clause 16 that the Data Principal must only provide information that can be independently verified to be accurate when exercising their right to rectification or erasure. Every data principal should be given the option to request their information be erased under the proposed legislation, and this option should not be subject to any prerequisites.
Duties of Data Principle
The DPDP Bill specifies a number of responsibilities for a Data Principal, which are listed in Chapter 3 of the Bill. It is important to remember that the provision requires the Data Principal
- To abide by all applicable laws when exercising their rights under the DPDP Bill’s provisions. The clause poses the question of whether a Data Principal’s capacity to exercise their rights under the DPDP Bill is contingent upon their adherence to the relevant legal requirements.
- To make sure they don’t file a fictitious or pointless complaint with the Board and with the Data Fiduciary. Since there is no set criteria for classifying a complaint as frivolous, its use has wide-ranging effects.
- A Data Principal must ensure that only information that is unambiguously accurate is sent to the Data Fiduciary if they intend to exercise their right to the correction or erasure of personal data under the Bill, according to another provision in the provision.
Personal data transfer outside of India
The Central Government is required by the DPDP Bill’s Chapter 4 to inform any nations or jurisdictions outside of India to which a data fiduciary may transfer personal data. The clause further indicates that the government will later notify the public of the rules and regulations under which such a transfer will be permitted. The DPDP Bill fails to provide a limit for the variables that might be taken into account when alerting nations.
Sub-provision 1 of the DPDP Bill’s Provision 18 states that the following situations are exempt from the application of all of Chapter 3 (which grants a Data Principal rights and obligations), nearly all of Chapter 2, and Provision 17:
- the data is being processed in order to enforce any claim or legal right;
- the information is being processed in India by any court, tribunal, or other entity for the purpose of carrying out any judicial or quasi-judicial activity;
- the processing of the data is done in an effort to stop, identify, investigate, or bring charges against anyone who violates the law;
- Instead of a broad clause allowing any other organisation in India performing a judicial or quasi-judicial function, the DPDP Bill should have included safeguards to ensure that the processing of such data is restricted to specific occurrences.
- Under addition, there will be far-reaching repercussions if the rights of the Data Principal are suspended in the aforementioned circumstances.
- Last but not least, the phrase “personal data of Data Principals not within the territory of India” restricts the rights of Data Principals who are nationals of India but are not resident there at a specific moment.
It is important to note that the draught DPDP Bill tries to provide the data principal some influence over how its personal data is used, despite the fact that this is only the first stage of the bill’s development. The existing system, in which the data principal is unaware of the (mis)use of their personal data by third parties, would want to be made more transparent, according to the Bill. Of course, it will be interesting to see how these aspects of the Bill improve or develop over time given that it is still in its infancy.
The previous PDP Bill’s dubious incorporation of non-personal data appears to have served as inspiration for this bill, which aims to concentrate only on digital personal data.
The proposed Bill’s retrospective “notice” effect to the data principal is another crucial aspect. It follows that if the data fiduciary had gathered any personal information about the data principle prior to the implementation of the proposed Act, it would have been required to notify the data principal in writing, itemizing the data it had gathered and the reason for doing so.