Exploring the Data Protection Bill: Safeguarding Your Digital Privacy
Data protection and data privacy have become increasingly important in today’s digital age. Our personal data is constantly being collected and processed by various entities, raising concerns about how it is being used and secured. In India, the right to privacy is recognized under Article 21 of the Constitution, which also covers data privacy.
To better understand this concept, let’s consider an example. Imagine you’re using Instagram in 2023, and the app asks for access to your phone number, location, contacts, and email ID. It is up to you to decide whether to allow or deny this access. This ability to control your data is known as data privacy. However, if you choose to provide access, it is the responsibility of Instagram to protect and secure your data, known as data protection.
The Data Protection Bill of 2022 aims to address the processing of an individual’s digital data in a way that respects both their right to protect their data and the need to process it for lawful purposes. The bill introduces new terms such as data principal, data fiduciary, and profiling.
A data principal refers to an individual to whom the personal data relates, while a data fiduciary is a person or group of persons who determine the purpose and means of processing an individual’s personal data. Profiling, on the other hand, involves using data to predict the behavior and interests of the data principal. For instance, when you search for a product on Amazon and later see related ads on Google, that’s profiling. In this scenario, you are the data principal, and Amazon and Google are the data fiduciaries.
Consent plays a crucial role in data privacy, as it is our personal data that we share. The Data Protection Bill emphasizes the data principal’s consent, which is a positive aspect of the bill. It states that the data principal must provide clear affirmative action to signify their consent for processing their data for a specific purpose. If the data principal is under the age of 18, their legal guardian must provide consent on their behalf. The data principal also has the freedom to withdraw their consent at any time, but they must bear the consequences of doing so. Once consent is withdrawn, the data fiduciary must stop processing the data principal’s personal data.
For example, if you have subscribed to a daily news service like journal press and later decide to withdraw your consent, the service provider must immediately stop processing your data. However, it may also result in the termination of their services.
The concept of deemed consent is introduced in the new Data Protection Bill. This means that under certain circumstances, the data principal is presumed to have given consent to the processing of their data. For example, when you order a pizza online and provide your phone number and address for delivery, it is presumed that you consented to sharing that information with the pizza company. Other circumstances where deemed consent applies include the performance of functions under the law for the benefit of the data principal and compliance with judgments or orders.
In addition to protecting the data acquired from the data principal, a data fiduciary has other obligations as well. These include making reasonable efforts to ensure data accuracy, informing the Data Protection Board in case of a data breach, taking appropriate technical and organizational measures to protect data, and removing or erasing data once its purpose has been fulfilled (except for government entities). The data fiduciary must also comply with the law, share data with other data fiduciaries with the data principal’s consent, inform the board and the principal in case of a data breach, and ensure data safety and non-sharing.
The data principal has certain rights regarding their personal data. They can request a summary of processing activities undertaken by the data fiduciary, as well as the identities of all data fiduciaries with whom their data has been shared. The data principal also has the right to correct inaccurate data, update new data, complete incomplete data, and request erasure of their personal data.
In case of any grievance, the data principal can register it with the data fiduciary. If they are dissatisfied with the response, they can approach the Data Protection Board and file a complaint. The data principal also has the right to appoint someone to exercise their rights in case they are incapacitated or deceased.
If the data principal is unsatisfied with the response or receives no response from the data fiduciary, they have the option to register a complaint with the board. Non-compliance with the duties outlined in the bill is a punishable offense. The Central Government will establish the Data Protection Board of India, which will ensure compliance with the Act and take strict action or impose penalties for non-compliance. The board’s functions include directing data fiduciaries in case of data breaches, addressing non-compliance, and conducting complaint proceedings.
Every person is required to comply with the board’s orders, which hold the same weight as decrees issued by a civil court. However, there is currently no appellate authority, which means the board’s decisions are final.
In conclusion, the Data Protection Bill of 2022 focuses on the processing of personal data while recognizing the rights of individuals to protect their data. It addresses concepts such as consent, deemed consent, data fiduciary obligations, data principal rights, and the establishment of the Data Protection Board of India. By ensuring compliance with the Act and safeguarding data privacy, this bill aims to provide individuals with greater control over their personal data in the digital realm.