The Digital Personal Data Protection Bill (DPDP), which was tabled in the Lok Sabha on Wednesday, empowers citizens to intimate to all digital platforms to delete their past data. Once the Bill becomes a law, the power of Big Tech firms, which is largely a result of them sitting on huge amount of consumer data, will get minimised. They will no longer be able to monetise consumer data by using it for purposes other than for which it was collected.
The firms concerned will need to collect data afresh from users and spell out clearly its purpose and usage. They will be booked for data breach if they depart from the purpose for which it was collected, according to the provisions of the Bill.
Companies handling large volume of data will also have to appoint data protection officers, who will be the point of contact for the grievance redressal mechanism. Such entities will also have to appoint an independent data auditor to carry out data audit.
Further, the onus of data breach as a result of theft by employees, etc, will lie with the companies and the Data Protection Board will levy penalty on the company, the maximum amount of which has been fixed at `250 crore. The government can increase the fine through an amendment to the schedule if it feels the need to do so.
However, certain startups, after the government’s approval, will be exempt from these onerous provisions of the Bill, but still they will be subject to penalty for data breaches. The exemption for startups will not be in perpetuity, but only till the time they are devising a new product. Once the product is tested and goes commercial, they will also be governed like established firms dealing in larger volume of data.
The Bill basically aims at data minimisation, purpose limitation and storage limitation. Data minimisation means entities can only collect, what is absolutely minimum required. Purpose limitation means they can only use it for the purpose for which they have acquired the data. And storage limitation is that after the services have been delivered, the data needs to be deleted.
Rajeev Chandrasekhar, minister of state for IT and electronics, said, “The Bill is globally competitive and addresses the seemingly contradictory objectives such as protecting citizen’s rights, creating compliance-friendly regime for startups and the digital economy and to define the clearly emergent situation in which the government has access to the personal data of the citizens”.
The government will also have the power to block any intermediary or other firms in case of frequent data breaches and violation of provisions of the Bill. Upon recommendations of the Data Protection Board, the Bill gives the government the power to block any firm which is penalised in two or more instances for violating the provisions.
Likewise, the Data Protection Board can also impose penalty on the data principals (users) on false complaints related to any grievance against any data fiduciary (agency processing data), according to the Bill.
The Telecom Disputes Settlement and Appellate Tribunal (TDSAT) will act as an appellate tribunal for aggrieved parties to appeal against the order of the Data Protection Board.
On cross-border data flow, the government will specify a list of negative countries, where personal data of users cannot be transferred.
Data fiduciaries will need consent of parents/guardians for processing data of children below the age of 18. However, it has retained the power to relax it if it feels that data processing will be done in a safe manner.
The government has given itself powers to exempt certain agencies, dealing with security matters, law and order from the provisions of the Bill. Similarly, courts and tribunals will not come under its purview if personal data is required for purposes of investigation and detection of crime. Similarly, exemptions will be provided if processing of certain data is required in cases of merger and acquisition of companies. Exemptions will also apply in cases of default in payment of loans, etc, where financial information needs to be processed.
Similarly, the Data Protection Board will also not be liable for any prosecution.