The measure mandates identifying a Data Protection Officer and providing contact information, as well as openly disclosing the type of information gathered and its intended use.
The nation’s first piece of law to protect personal data was adopted by the Parliament on Wednesday, a significant milestone. The bill is called the Digital Personal Data Protection Bill (DPDP). The bill has been designed to be adaptive to changing technical ideas, enabling the addition of new data concepts without calling for further modifications, according to Minister of Communications and Information Technology Ashwini Vaishnaw.
Vaishnaw said that the administration has already started laying the framework for putting the bill into effect and that it would soon start to be put into practice. He emphasized that meetings with fiduciaries will be part of the rollout process, guaranteeing a hasty but cautiously conducted deployment.
The measure will enter into force after receiving presidential approval and being published in the gazette. The law’s implementation is notable since it comes six years after the Supreme Court declared that privacy is a fundamental right. This accomplishment signifies the bill’s second attempt at successful passage. The original measure was presented by the government in 2019, but it was withdrawn last year as a result of 81 suggestions made by the joint parliamentary committee. This thorough analysis resulted in the bill’s present version, which was then completely revised.
“Since this is transforming the whole digital economy, we will proceed with all steps under proper checks, balances, and verification. It needs to be a strong system, the minister added.
The proposed legislation requires businesses, sometimes known as “data fiduciaries” (companies) and “data principals” (individuals), to strengthen their security measures for digital data acquired from individuals. This requires clearly stating the type of information gathered and its intended purpose, appointing a Data Protection Officer and providing the person’s contact information, and giving users the ability to remove or alter their personal data.
These requirements are similar to those found in international data protection laws, such as the General Data Protection Regulation of the European Union.
The Bill proposes sanctions ranging from Rs 50 crore to Rs 250 crore for cases when firms disregard their duties to disclose information or fail to maintain user data protection. It’s important to remember that these fines can add up, making it possible to impose several fines on a single piece of data.
Additional directives, pertaining to the categorization of ‘significant’ data fiduciaries and subjecting them to more rigorous requirements such as data audits and ‘Data Protection Impact Assessments’, will be communicated by the Union government at a later time.