The Lok Sabha passed the Digital Personal Data Protection Bill, 2023, on Monday. While the overall takeaway is about the enhancement of privacy around data, there might be more that impacts the common user.
To start with, the Bill defines some common terms repeatedly used in it. For instance, Data Fiduciary, which means any person who alone or in conjunction with another person(s) determines the purpose and means of the processing of personal data; Data Principal, which means the individual to whom the personal data relates and where such individual is — (i) a child, including the parents or lawful guardian of such a child; (ii) a person with a disability, including his/her lawful guardian, acting on his/her behalf. There is also the Data Processor, which is any person who processes personal data on behalf of a Data Fiduciary.
In conversation with Storyboard18, Nakul Batra, Partner at full-service law firm DSK Legal, breaks down the Bill for easy understanding. He talks about consent withdrawal, the right to data erasure, consent fatigue, and more.
Edited excerpts:
If we have to sum up the Bill in simple words, what would change for the common man surfing the internet once it is passed?
In a nation that is steadily embracing digital inclusivity and governance, this Bill is a pivotal step in educating and sensitising ‘digital nagriks’ about their digital privacy and its significance.
It increases public awareness regarding how their data is processed, providing them with control over the extensive personal data they generate and share while browsing the internet.
They gain the authority to control their data transfers, usage, access, and tracking of online activities across various websites. Armed with this awareness, individuals can retract consent and request data removal from unwanted entities. Such a measure may also combat identity theft and fraudulent activities that have thrived due to unregulated data trading and illicit data sales.
Furthermore, individuals will become aware of the breaches of their data, which they were previously unaware of.
Yet there’s a potential concern: regular receipt of consent notices may lead to ‘consent fatigue’, causing individuals to accept requests without reading them or thinking about them.
Nevertheless, a profound shift in how the common man engages with internet browsing is anticipated, as well as how companies handle their data.
More specifically, please explain how social media experiences can become safer with the Bill because that is where a lot of personal data is shared.
The Bill will restrict the current practice of sweeping consent that social media companies currently depend on to collect, analyse, and share large amounts of user data with affiliated or contracted entities.
This restriction will apply to data that isn’t required for the specific purpose of engaging with the social media platform. Instead, specific, free, informed, unambiguous, and unconditional consent must be obtained in a clear way for any other use of the user’s data, especially for marketing and selling it for particular purposes.
Implementing this measure will curb the exploitation of users’ information and provide them with more control over who accesses and processes their data, as well as how it’s utilised.
It’s important to recognise, though, that the Bill excludes personal information and data that users themselves share publicly on social media platforms.
Consequently, this exclusion limits the protection provided. It might unintentionally give data principals a false sense of security that their actions and personal data on social media platforms won’t be scraped by social media and other companies. However, ultimately, the degree of data protection and its effectiveness will rest on the data principal’s mindful use of online platforms.
Moving on to the other side, in terms of security mechanisms, what kind of safeguards should data fiduciaries put in place?
Data fiduciaries will be required to implement appropriate technical and organisational measures to ensure the protection of personal data in their possession/control.
In terms of security mechanisms, data fiduciaries may consider implementing managerial, technical, operational, and physical security control measures to restrict access to and protect digital personal data, along with conducting periodic audits of their security mechanisms. This process might involve initiating compliance with ISO 27001 certification as the foundational step for data fiduciaries. It would also entail defining their policies for data collection, retention, usage, and addressing grievances.
How would the fiduciaries prepare for obtaining consent, and how would they make sure that the data is used only for the purpose for which it was obtained?
The DPDP 2023 has proposed higher standards for obtaining consent from data principals. Consent must be given freely, specifically, with full information, unconditionally and unambiguously, involving clear affirmative action, and limited to the specified purpose. The DPDP 2023 mandates that every request for consent must be accompanied by (or preceded by) a notice detailing the purpose of data collection and the rights of the data principal and their exercise (such as withdrawal of consent and grievance redressal), in English or in any of the Eighth Schedule languages. That means that the data principal should be given a meaningful and actual choice to consent for each separate purpose.
In the case of consent received prior to the enactment of DPDP 2023, data fiduciaries would have to share such notice as soon as reasonably practical. Further, the data principals will have the right to information under DPDP 2023, requiring data fiduciaries to inform them about the data’s usage and purpose. If the data is used for a purpose other than that specified, the data principal’s non-compliance may result in penalties as prescribed by the proposed law.
There is already a lot of data that users have shared. How will data fiduciaries deal with the data already in their possession? How much of it can be retained and how much should be discarded?
The DPDP 2023 provides that for data already existing in the records of data fiduciaries, the data fiduciaries would be required to issue a notice to data principals that details the purpose of data collection and the rights of the data principal. As per the current draft of the DPDP 2023, it is stated that such notice be issued as soon as it is reasonably practical.
In terms of retention of personal data, and given the high thresholds set out under the DPDP 2023 for obtaining consent, data fiduciaries may consider evaluating such data vis-à-vis the purpose for which it was collected and whether there is cause for the erasure of personal data that is not necessarily required to serve the specified purpose.
In terms of grievance redressal, what kind of setup should be put in place by the fiduciaries? Can they use the one used under the IT Rules?
The grievance redressal system should effectively manage complaints from data subjects regarding how their personal data is being processed. This covers concerns related to data accuracy, the purpose of processing, data erasure, and the effective withdrawal of consent. The DPDP 2023 introduces escalated measures of grievance redressal, specific to the protection of personal data, which are going to be in addition to the grievance redressal reforms under the current regime.
While the grievance redressal mechanism under the IT Rules, 2021, also prescribes that it must be accessible, transparent, and independent, it is not as comprehensive as the grievance redressal mechanism under the DPDP, 2023. The IT Rules, 2021, only require significant social media intermediaries for a higher degree of compliance on redressal mechanisms.