The Digital Personal Data Protection Bill, 2023, attempts to address a host of concerns to ensure that companies won’t be able to use the personal data of people in an arbitrary manner.
In a digital age where the virtual realm intertwines with reality, an unprecedented amount of personal data is entrusted to corporations such as Facebook, Uber, Twitter, and YouTube. Yet, as the digital tapestry grows, so does the concern for privacy and the need to protect data.
The bill has a provision whereby the data of a person can be processed only for the specific purpose for which it has consented. This purpose must be specified beforehand in the form of a notice to the concerned person.
For instance, if a telemarketing company with whom you have not had any contact and have not shared your information suddenly starts calling you for marketing purposes, there is a legitimate reason to inquire as to where they got the number from. And if they fail to provide a reasonable answer, then the matter can be taken up with the Data Protection Board.
A lot of businesses rely on cold calls, whereby they buy a list of phone numbers and randomly call people, and there is no way these companies will be able to establish what the law now requires them to establish, Rahul Matthan, partner at Trilegal, told BQ Prime.
When a company processes personal data, the onus is on them to show that a notice was duly provided and consent was received before processing the data, he said. They cannot opt out of it by saying that the person has waived their right to be limited by a specified purpose, Matthan said.
The bill speaks of the obligations of data fiduciaries—or those entrusted with the data—who make decisions as to how the data is to be processed or used.
It states that the data fiduciaries have an obligation to provide a notice for receiving consent from the person in all languages specified in the 8th Schedule of the Constitution.
Such a provision seeks to democratise data protection, ensure that data processing-related implications are widely understood, and make the benefits of the law available to all, Deborshi Barat, counsel at S&R Associates, told BQ Prime.
Another prescribed obligation for a data fiduciary is that they will not be able to contract out of the provisions of the bill. For example, the data fiduciary cannot enter a clause in the notice through which they get a person to waive their right to file a complaint with the Data Protection Board, as such a waiver will be considered invalid.
Matthan said that if something doesn't comply with the law, then putting it in your privacy policy will be irrelevant because it will be invalidated the moment the law comes into force. He said companies will have to rethink their internal business processes because a lot of them depend on these policies.
The bill also contains a provision whereby companies will have to come up with a process to delete the data after the person withdraws their consent or when the specified purpose for which the data was being used is no longer being served.
It is crucial to note that the 2022 draft permitted a data fiduciary to retain personal data if retention continued to be necessary for business purposes. This exemption has now been removed, and under the 2023 bill, a data fiduciary can only retain data if retention is necessary for compliance with any law, Barat said.