The Ministry of Electronics and IT(MeitY) has released the Digital Personal Data Protection Bill 2022, and the government is currently seeking public feedback and consultations. The measure is intended to lay out the procedures and guidelines for data collecting for businesses and the rights and obligations of “digital nagriks,” or citizens.
The measure also establishes severe penalties for breaking any law’s rules, and the Data Protection Board of India—which the new law has set up—will make these determinations. However, board orders may be contested in a High Court.
The Data Protection Bill Focuses On Seven Fundamental Principles
The Bill’s explanatory note states that it is founded on seven principles. The first is that organizations must use personal data in a way that is legitimate, fair to the individuals involved, and transparent to individuals. The second principle states that personal data must only be used for the purposes for which it was collected. The third principle discusses data minimization, while the fourth principle emphasizes data accuracy when it comes to collection.
The fifth principle states that personal information cannot be stored perpetually by default and should only be kept for a specific time. According to the sixth principle, there should be enough protections to guarantee that no unauthorized collection or use of personal data occurs.
Seventh principle: The person who determines the nature, scope, and means of personal processing data shall be liable for such processing.
Defining Definitions- What Data Principal And Data Fiduciary Implies
The person whose data is being gathered is referred to throughout the Bill as the “Data Principal.”
The purpose and means of processing an individual’s data are determined by the “Data Fiduciary,” which may be a person, business, government agency, or other entity.
The law also acknowledges that parents or legal guardians will be regarded as children’s Data Principals in cases where they are children, defined as all users under 18.
According to the law, all data by or in connection to which an individual can be identified is considered personal data. Processing is the full range of processes that may be applied to personal data. According to the Bill, data processing would include data collection and storage.
The measure also guarantees that people should have access to essential information in the languages included in the Indian Constitution’s eighth schedule. Furthermore, the Bill stipulates that consent must be obtained from the subject before their data is processed and that each individual should be aware of the specific personal data that a Data Fiduciary wishes to collect and the purposes for such collection and further processing.
Additionally, the notification of data collection must be written in language that is both explicit and understandable. Additionally, people can revoke their consent from a data fiduciary.
Two Rights Of Action- The Rights To Erase Data And To Nominate
Data principals can request the deletion and updating of data that the data fiduciary has acquired. If the data principal passes away or becomes incapable, they can also designate a person to act on their behalf.
The measure also grants customers the ability to protest to the Data Protection Board about a Data Fiduciary if they do not receive a sufficient response from the business.
What Are The Relevant Data Fiduciaries In Data Protection?
Furthermore, the Bill refers to Significant Data Fiduciaries, who handle a sizable amount of personal data. The Central government will decide who falls under this group based on various considerations, including the amount of personal data collected, the risk of harm, and the potential impact on India’s sovereignty and integrity.
The Bill’s explanatory note states that this category must fulfill additional duties to permit wider scrutiny of its actions.
Such organizations will be required to designate a “Data protection officer” to act on their behalf. They will serve as the focal point for grievance redress. They must also choose an impartial data auditor to assess their compliance with the statute.
Financial Punishments And Penalties
The draught also suggests that businesses that experience data breaches or fail to notify customers when breaches occur face harsh penalties. Entities that do not implement “reasonable security safeguards” to prevent personal data violations could face fines of Rs 250 crore.
Data Protection For Data Transfer Across International Borders
The measure also permits storing and transferring data across international borders to certain notified countries and territories.
The memo further states that the Central Government would consider essential criteria before such notification.
Bottomline
The government may also exempt specific enterprises from complying with the Bill’s provisions based on the number of users and the volume of personal data collected by the firm. When doing this, the national startups that complained that the prior version of the Bill was compliance intensive have been taken into account.
About Signzy
Signzy is a market-leading platform redefining the speed, accuracy, and experience of how financial institutions are onboarding customers and businesses – using the digital medium. The company’s award-winning no-code GO platform delivers seamless, end-to-end, and multi-channel onboarding journeys while offering customizable workflows. In addition, it gives these players access to an aggregated marketplace of 240+ bespoke APIs that can be easily added to any workflow with simple widgets.
Signzy is enabling ten million+ end customer and business onboarding every month at a success rate of 99% while reducing the speed to market from 6 months to 3-4 weeks. It works with over 240+ FIs globally, including the 4 largest banks in India, a Top 3 acquiring Bank in the US, and has a robust global partnership with Mastercard and Microsoft. The company’s product team is based out of Bengaluru and has a strong presence in Mumbai, New York, and Dubai.
Visit www.signzy.com for more information about us.
You can reach out to our team at reachout@signzy.com.
Written By:
Signzy
Written by an insightful Signzian intent on learning and sharing knowledge.
