Friday, May 17, 2024
Outlook.com
Outlook India
Outlook Business

Data Protection Bill Moots Power To Govt To Call For Information From Data Collecting Entities, Board

The Digital Personal Data Protection Bill was tabled in Lok Sabha

Data Protection Bill Moots Power To Govt To Call For Information From Data Collecting Entities, Board
Pexels

Press Trust Of India

POSTED ON August 04, 2023 9:10 AM

The data protection bill introduced in Parliament on Thursday enables the Government "to call for information" from the data protection board, data collecting entities or intermediary and safeguards the Centre from legal proceedings for "action taken in good faith" under the provisions of the legislation.

After two or more instances of norm violation by a data collection entity, the Government on the advice of Data Protection Board, can directly block access to information in the interest of the general public, according to the provisions of the Bill.

The Digital Personal Data Protection Bill was tabled in Lok Sabha on Thursday.

"...after giving an opportunity of being heard to that Data Fiduciary, on being satisfied that it is necessary or expedient so to do, in the interests of the general public, for reasons to be recorded in writing, by order...direct any agency of the Central Government or any intermediary to block for access by the public or cause to be blocked for access by the public any such information," it said.

This provision will apply where the Board informs the Government about the imposition of monetary penalty on a Data Fiduciary in two or more instances and advises such blocking in public interest.

"The Central Government may, for the purposes of this Act, require the Board and any Data Fiduciary or intermediary to furnish such information as it may call for," as per the Bill.

While the data collecting and processing entity (Data Fiduciary) has to obtain the consent of parents before processing the personal data of children (defined as individuals below the age of 18 years), there is some leeway for entities that abide by secure and "verifiably safe" processing of children's personal data. 

"The Central Government may, if satisfied that a Data Fiduciary has ensured that its processing of personal data of children is done in a manner that is verifiably safe, notify for such processing by such Data Fiduciary the age above which that Data Fiduciary shall be exempt from the applicability of all or any of the obligations...in respect of processing by that Data Fiduciary as the notification may specify," it said.

All in all, the Digital Personal Data Protection Bill or Data Protection Bill, in short, provides for the processing of digital personal data, recognising the right of individuals to safeguard their information and the need to process personal data for lawful purposes.

It defines personal data breach as unauthorised processing of personal data or accidental disclosure, acquisition, sharing, use, alteration, destruction of or loss of access to personal data that compromises personal data's confidentiality, integrity or availability.

It classifies the data ecosystem into Data Fiduciaries (who determines the purpose and means of processing personal data) and Data Principal (individual to whom the personal data belongs), laying down obligations and dos and dont's for the former and specifying the rights and duties of the latter.

Once approved by Parliament, the norms will apply to personal data collected within India from data principals online and personal data collected offline but subsequently digitised. It will also apply to such processing outside India if it is for offering goods or services to individuals in India.

The proposed provisions of the Act do not apply to personal data processed by an individual for any personal or domestic purpose, personal data caused to be made publicly available by data principle, say a blogger sharing personal data on his/her social media blog.

Personal data can be processed only for a lawful purpose for which an individual has given consent and for certain legitimate uses. 

It means that notice is to be given by the data fiduciary (entities taking the data) to an individual concerned describing the data being taken and the purpose for which it is being processed. 

Citing an instance, it says if a bank is processing customer KYC, they have to send notice to the individual concerned describing the data and purpose of processing.

Consent of the individual needs to be a clear affirmative action, agreeing to process personal data only for the specified purpose. 

This means that even if consent is for other purposes, say giving access to a contact list while downloading a telemedicine app; the consent will be seen as limited only to the actual and real purpose of data being collected.

  • Related Articles

    The government imposed import restrictions on laptops, tablets and certain types of computers for security reasons and to promote domestic manufacturing

    Import Curbs On Laptops, Tablet Will Boost Local Manufacturing: Industry Players

    The program will provide these start-ups access to impactful AI models and tools, business and technical mentorship

    AWS, Accel Announce ML Elevate 2023 To Support Generative AI Start-Ups

    The 60 employees who were laid off were reportedly from tech, sales, customer success, and HR departments

    Azim Premji-Backed Increff Fires 20% Workforce