A comprehensive legislative proposal aimed at protecting peoples’ personal data in the digital age is the Digital Personal Data Protection Bill, 2023. The demand for strong frameworks to protect people’s sensitive information is rising as a result of the rapid development of technology and data-driven services. By establishing regulations that control the gathering, storing, processing, and sharing of personal data by various entities, including corporations, governmental agencies, and other groups, this measure aims to allay these worries.
The bill’s main goals are to give people more influence over their personal data and to create accountability systems for the organizations that handle it. A summary of the Digital Personal Data Protection Bill, 2023 is provided below:
Scope and Definitions:
The law broadly defines personal data to include data that can either directly or indirectly identify a person. Additionally, it contains very sensitive personal information like biometric data, financial data, medical records, and more. Both data processors (entities that process data on behalf of controllers) and data controllers (entities that determine the purpose and means of data processing) are subject to the legislation.
Data privacy Authority (DPA):
According to the proposed legislation, a Data Protection Authority will be created, which will serve as an independent regulatory agency in charge of monitoring and implementing data privacy laws. The DPA has the authority to publish directives, carry out audits, look into infractions, and impose sanctions for non-compliance.
Individual Rights:
The bill gives individuals a number of rights, including the ability to transfer their data between service providers and the right to erasure . Other rights include the ability to access and correct inaccurate information about them.
Lawful Basis and Consent:
Data processing must have a legal basis, such as consent, the fulfillment of a contract, a legal requirement, a person’s vital interests, the accomplishment of a public task, or the pursuit of the data controller’s or a third party’s legitimate interests. Freely provided, precise, informed, and revocable consent is required.
Sensitive Personal Data:
The subject must expressly consent to the processing of sensitive personal data. Children’s data processing is subject to specific protections that call for parental approval.
Cross-Border Data Transfer:
Data may be transferred across borders, but only to nations that offer a suitable level of protection or that are subject to the necessary safeguards. Additionally, the measure includes requirements for data localization, guaranteeing that crucial personal data is kept and handled inside the boundaries of the nation.
Data Protection Impact Assessment (DPIA):
Data controllers are required to complete Data Protection Impact Assessments (DPIAs) for high-risk data processing operations. This aids in spotting and averting potential privacy problems in advance.
Data Breach Notification:
Data controllers are required to notify the DPA and affected individuals as soon as they become aware of a data breach that puts people’s rights and freedoms at risk.
Accountability and Transparency:
Data controllers are responsible for following the rules set forth in the bill. They must have policies in place to ensure data privacy and provide people a clear understanding of how their data is processed.
Penalties and Enforcement:
Violations of the provisions of the bill may subject violators to harsh fines and sanctions. The DPA has the power to carry out investigations, issue warnings, and levy fines in accordance with the seriousness of the infraction.
Exemptions:
The bill identifies particular instances in which processing personal data is exempt from certain requirements, such as when it is done for research, academic, artistic, or journalistic objectives.