Aug 11, 2023

What Does India’s New Data Protection Law Say?

Both Houses of the Parliament passed the Digital Personal Data Protection Bill, 2023 (“DPDPB”) last week during its Monsoon Session.This Bill is the culmination of nearly a decade-long effort to protect citizens’ digital information. The DPDPB seeks to introduce more robust reporting mechanisms including the Data Protection Board to oversee and manage all complaints regarding personal data breach. In this Weekly, we’ll discuss what changes can be expected with the new law coming into force. 

Consent for use and processing of personal data

Unwarranted leaks and misuse of personal information are the most common forms of online abuse. The recent incidents of disclosure of sensitive information of users of Air India, CoWin or even Domino’s Pizza highlight how consumer data can be easily accessed and misappropriated. The DPDPB aims to create safeguards against such data leaks. 

Section 5 of the Bill mandates that before collecting any personal information of users, digital platforms must notify the user about the specific use of such information and obtain their consent. 

Section 6 of the Bill further specifies that any digital entity which collects personal information will now only be able to use, store or process such information once the user provides “free, specific, informed, unconditional and unambiguous” consent to do so. 

The user may also withdraw such consent. If they do, the platforms have to stop any act related to data processing within a “reasonable period of time”. This promises to give users more autonomy and control over their personal data on digital platforms. 

Right of users to information regarding the use of personal data

Digital platforms, whom the users have allowed to process their personal information, can get the following from them:

  • a summary of the personal data collected, 
  • list of all other entities who have access to such information, 
  • the duration for which such information shall be retained and
  • the specific purposes for which such information will be used. 

Any use beyond the scope of the consent of the user will attract punishments under this Bill. 

Right to correction of personal information on digital platform

If a user wants to correct, update or erase any of their personal information available with any digital platform, they can do so by raising a request with that platform. Section 12 of the Bill obligates the platform to promptly remove any incorrect or misleading information or update any inadequate information of the user if it receives such a request. An exception of this is when any existing law like the Information Technology Act, 2000 and its allied Rules or a notice issued by a competent department of the government makes retaining that information necessary. 

Right to grievance redressal

If a user has any grievances about the use of their personal information, they can raise grievances with the ‘Consent Manager’, an officer designated with the Data Protection Board to help users manage and review the use of their digital data. The Bill also establishes the Data Protection Board which is a central authority responsible for remedying any complaints of personal data breaches and imposing penalties to the guilty parties. The users therefore, now have a centralised source to have their grievances registered and redressed. 

It is important to understand that the DPDPB is an addition to the existing laws, such as the Information Technology Act, 2000 and related Rules that help users report and take action against any unauthorised use of personal information. While it does not replace the existing legal framework governing digital data, once in force, the DPDPB will empower the users to control what personal data they share with which digital entity and protect such data from any unauthorised use as well as erase any information from the digital space if they ever feel the need to.