© The Indian Express Pvt Ltd
Tags:
Journalism of Courage
Last month, India notified its personal data protection framework as a law, signalling the beginning of a new era of privacy legislation in the country.
Provisions of the Digital Personal Data Protection Act, 2023 will come in force in a few months, after the Centre has allowed enough transition time to the industry, with users of these platforms — you — experiencing several new notices and rights, as prescribed in the law.
But there will be a number of restrictions as well, which could indefinitely suspend many of the rights the law affords to users.
There are broadly two circumstances under which entities — both government and private — can process an individual’s personal data: (i) There has to be clear consent for such processing; and (ii) for certain “legitimate uses”.
When an entity is processing your personal data for which you have consented, it has to be accompanied by a notice, which is to be made available in all 22 languages of Schedule 8 of the Constitution. You can directly consent to businesses, and the government can process your personal data, or alternatively use a consent manager.
Any entity that has collected a person’s personal data before the Act came into being should give her a notice about the personal data in its possession “as soon as it is reasonably practicable”.
The notice should include:
However, the contents of this notice have been significantly diluted from previous iterations of the many data protection Bill drafts in the last five years. For instance, the Act doesn’t require companies to state the duration for which they will store personal data, if it will be shared with third-parties, and if it will be sent to a foreign jurisdiction.
There are exemptions to consent requirements as well:
The Act says that the government can exempt itself and its instrumentalities from adhering to any and all provisions of the law that relate to processing of personal data.
Once the Act’s provisions are in force, you can expect a barrage of consent notices from the apps that you have downloaded.
At that time, you can choose to withdraw consent from any app that you wish to, and it will then have to delete your personal data. However, you may no longer be able to use the app if you do not consent for it to process your personal data.
There is a caveat here though: A separate provision in the law requires entities to retain data for law enforcement purposes, which could lead to them not deleting your data even when you have asked for it.
Users have a right to access their personal information in possession of an entity and request its erasure.
If personal data relating to you is incorrect, you can also request a correction of that data.
You can also nominate a person who may take decisions regarding your personal data in case of death or incapacity to carry out such functions.
Broadly, there are three major roadblocks that impose restrictions, or limit the rights prescribed in the provisions of the law from applying to individuals. These are as follows:
* Government exemptions: In the interest of national security, friendly relations with other governments, and public order among others, many of the provisions of the Act, including rights afforded to citizens will no longer be applicable.
“The way we have prepared the law, it has adequate safeguards for citizens. A lot of the fear against the government’s power comes from citizens’ experience with previous governments. But that is not the case today. People have a lot of trust in our government,” IT Minister Ashwini Vaishnaw had earlier told The Indian Express.
* Processing of data for legitimate uses: Neither the government nor private companies need to seek informed consent from citizens for certain legitimate uses.
For the government, this includes processing personal data for offering subsidies and certificates, responding to a medical emergency, for national security, and during natural disasters.
Private entities can assume consent when an individual has not expressly denied her consent.
“We have added this provision for ease of doing business so that entities can process data that is reasonably within the proximity of what you have originally consented to,” Minister of State for Electronics and IT Rajeev Chandrasekhar had told The Indian Express earlier.
This relaxation can also be used by employers to process their employees’ personal data for the former as a safeguard from loss or liability, such as prevention of corporate espionage, maintenance of confidentiality of trade secrets, and intellectual property.
* Voluntarily disclosed personal data: Provisions of the data protection Act do not apply to personal data that has been made public by an individual of their own volition. There are concerns here that such data can be used by companies such as OpenAI to build generative AI platforms using publicly available personal data.
One of the rights conferred to individuals under the law is the right to grievance redressal if one is not satisfied with the way their personal data is being handled by entities in possession of it.
The law also requires both government and private entities to intimate individuals and the data protection board if they have faced a data breach. The notification timeline for data breaches has not been prescribed in the law and is expected to be established through a separate notification.
Once a data breach has been reported, the data protection board will initiate an investigation into it. If the board determines that an entity has not taken “ reasonable security safeguards” to prevent a data breach, it could be fined as much as Rs 250 crore. If entities fail to notify individuals and the board when there is a breach, they could be fined Rs 200 crore.
If a person is not satisfied with the decision of the data protection board, they can file an appeal with the Telecom Disputes Settlement and Appellate Tribunal (TDSAT).
