The long-awaited data protection rule draught was released by the Indian government on Friday, marking the fourth attempt since it was first suggested in July 2018.
Public comment on the draught is welcome till December 17, 2022.
Including over 760 million internet users in India, it is essential that the data created and utilized by online platforms be governed by privacy laws to avoid misuse, boost accountability, and foster trust.
The Salient Elements of Digital Personal Data Protection Bill 2022
Here are the Digital Personal Data Protection Bill 2022’s most critical salient elements.
The government has the power to dictate which nations businesses can transfer personal data to. Thanks to this, companies can send user data to servers in the countries on the list.
Under the proposed law, the government may exclude state agencies from processing data if doing so will advance national security.
To monitor adherence to the proposed law, the government will create a “Data Protection Board.” Additionally, the board will hear user concerns. “For the objectives of this Act, the Government of India shall, by notification, constitute a Data Protection Board of India. Workload distribution, complaint processing, hearing group formation, and decision-making. And other Board tasks must all be done digitally by design, “the proposal claims.
Companies of “substantial” size should employ a separate data auditor to assess compliance with legal requirements based on variables. They include the amount of information they process.
For non-compliance, the Data Protection Board can impose monetary fines. The draught proposal stated that failure to implement acceptable security measures to avoid data breaches might result in penalties ranging up to 2.5 billion rupees ($30.6 million).
If user data is no longer needed for the business reason it was gathered, companies must discontinue keeping it. Users have the right to request updating and deleting their personal data.
Advertising cannot specifically target children, and no organization or firm will be permitted to process personal information that is “likely to cause damage” to children. A child’s parents must approve before any personal information about them is processed.
The regulation will apply to digitalized offline material and online personal information. If processing entails creating user profiles for Indian users or offering them services, it will apply to personal processing data abroad.
Regulatory framework proposed by the Bill
The ongoing draft fundamentally limits the domain of the proposed Information Security Leading group of India. In contrast with the administrative structure imagined before the emphasis of the draft regulation. Here the proposed controller, the Information Assurance Authority, was enriched with vast powers of guideline-making, requirement, and settlement (DPB). The focal government has been provided the capacity to make rules under around 14 of the DPDP Bill’s 22 arrangements.
This represents a test for various reasons. One of the most excellent datum guardians in the country is the public authority. It handles the individual data of millions of Indians to offer types of assistance and advantages, and issue licenses, grants, and official IDs. Thus, it is pivotal that the foundation is liable for making the guidelines free of the public authority to ensure the fair assurance of information administrators’ inclinations. There would be an irreconcilable circumstance on the off chance that these powers were given to the Association government, which these regulations would represent. For example, the public authority can assign “fair and sensible” reasons to license the handling of individual information without understanding the person.
As an information trustee itself, the public authority will be at risk of anything regulations it makes about information security necessities. For example, information breaks, information insurance influence evaluations, information reviews, and data that an information guardian can mention. Moreover, the DPDP Bill 2022 must offer an excellent official course for drafting these rules. This raises the issue of extensive regulative appointments.
At last, since it would assign DPB individuals, determine the terms and conditions of the arrangement. Also indicate the obligations the DPB will complete, the Focal government has more impact over the proposed DPB.
