THE DIGITAL PERSONAL DATA PROTECTION BILL, 2022
The purpose of this Act is to provide for the processing of digital personal data in a manner that recognizes both the right of individuals to protect their personal data and the need to process personal data for lawful purposes, and for matters connected therewith or incidental thereto.
This law is about how digital personal information should be handled. It’s meant to balance the rights of individuals to keep their personal information safe with the need to use that information for legal purposes. The law also covers related matters.
- Short Title and Commencement
(1) This Act may be called the Digital Personal Data Protection Act, 2022.
(2) It shall come into force on such date as the Central Government may, by notification
in the Official Gazette, appoint. Different dates may be appointed for different
provisions of this Act. Any reference in any provision of this Act to the commencement
of this Act shall be construed as a reference to the commencement of that provision.
The official name of this law is the Digital Personal Data Protection Act, 2022. It will come into effect on a date chosen by the Central Government and announced in the Official Gazette. Different parts of the law may have different starting dates. Any mention of the “commencement” of the law means the start of that particular section.
- Definitions
In this Act:–
2.(1) “automated” means any digital process capable of operating automatically in response to instructions given or otherwise for the purpose of processing data;
This section defines the term “automated” for the purpose of the law. It means any digital process that can operate on its own in response to given instructions or for the purpose of processing data.
The definition of “automated” is important because it is used throughout the Act to describe how personal data is processed. This definition specifies that the process must be digital, and capable of operating automatically in response to instructions or for the purpose of processing data.It is important to note that this definition does not specify the type of data that is being processed or the purpose of the processing.
Some may argue that the definition of “automated” is too broad and could encompass a wide range of digital processes that may not necessarily be relevant to personal data protection. Others may argue that the definition should be more specific and clarify the types of processes that are considered “automated” for the purposes of the Act. It is also possible that some may find the definition too technical or difficult to understand, and may require additional clarification or explanation.
2. (2) “Board” means the Data Protection Board of India established by the Central
Government for the purposes of this Act;
This section defines the term “Board” for the purpose of the law. The Board refers to the Data Protection Board of India, which has been established by the Central Government specifically to oversee and implement the provisions of this Act. The definition of “Board” is important because it establishes a specific body that is responsible for implementing the provisions of the Act. The Data Protection Board of India has been established by the Central Government specifically for the purposes of this Act, which indicates the government’s commitment to ensuring that the provisions of the Act are properly enforced. The Board will be responsible for a range of tasks, including regulating the processing of personal data, investigating complaints, and imposing penalties for non-compliance. It is important to note that the Board is a new body that has been established specifically for the purposes of this Act, and is not an existing regulatory body.
Some may argue that the creation of a new regulatory body is unnecessary and may lead to duplication or overlap with existing regulatory bodies. Others may argue that the creation of a new body may create additional bureaucracy and slow down the implementation of the Act. There may also be concerns about the effectiveness and independence of the Board, particularly if it is perceived as being overly influenced by the government.
2. (3) “child” means an individual who has not completed eighteen years of age;
The term “child” in this bill refers to any person who is below 18 years of age. The purpose of this definition is to ensure that children’s personal data is given extra protection, as they are considered a vulnerable group that may not be able to fully understand the implications of sharing their personal information online. By explicitly defining a child as someone under 18, the bill seeks to establish a clear standard for age-based protection measures across different digital platforms and services.
Some may argue that 18 years of age is an arbitrary cut-off point for defining a “child,” and that different age threshold may be more appropriate for different purposes (e.g. voting age, legal age for marriage, etc.).Others may argue that this definition could inadvertently lead to overprotection of some minors who may be more mature and capable of making informed decisions about their personal data while leaving other vulnerable groups (such as elderly individuals) without similar protection.
2. (4) “Data” means a representation of information, facts, concepts, opinions or
instructions in a manner suitable for communication, interpretation, or processing by humans or by automated means;
The term “data” in this bill refers to any form of information, including but not limited to facts, concepts, opinions, or instructions. This information can be represented in a variety of ways that can be communicated, interpreted, or processed by humans or machines. The definition of “data” is intentionally broad to ensure that it covers a wide range of personal information that could be used to identify an individual, such as their name, address, phone number, email address, or online identifiers like IP addresses, cookies, or device IDs.
Some may argue that the definition of “data” is too broad, as it could encompass a wide range of information that may not necessarily be sensitive or personally identifiable. Others may argue that the definition of “data” could be more specific in terms of the types of information that are subject to protection, such as biometric data, health information, or financial information.
2. (5) “Data Fiduciary” means any person who alone or in conjunction with other persons determines the purpose and means of processing of personal data;
The term “Data Fiduciary” in this bill refers to any person or entity that has control over the processing of personal data, either alone or in conjunction with other persons or entities. A Data Fiduciary is responsible for determining the purpose and means of processing of personal data, which includes collecting, storing, using, disclosing, or deleting personal data. The term “fiduciary” is used to indicate that the Data Fiduciary has a legal and ethical obligation to act in the best interests of the data subject (i.e., the individual whose personal data is being processed), and to protect their rights and freedoms.
Some may argue that the definition of “Data Fiduciary” is too broad, as it could include a wide range of actors who may not have direct control over personal data, such as service providers or third-party processors. Others may argue that the concept of a “fiduciary” is difficult to apply in practice, as it is often unclear what actions a Data Fiduciary should take to protect the rights and interests of the data subject.
2. (6) “Data Principal” means the individual to whom the personal data relates and where such individual is a child includes the parents or lawful guardian of such a child;
The term “Data Principal” in this bill refers to the individual to whom the personal data relates. This could include any person whose personal data is being collected, used, processed, or shared by a Data Fiduciary. If the Data Principal is a child, the definition includes the parents or lawful guardians of the child, as they may be responsible for providing consent or making decisions about the processing of the child’s personal data.
Some may argue that the definition of “Data Principal” is too narrow, as it only includes individuals whose personal data is being processed, and does not account for broader societal or collective interests that may be affected by the processing of personal data. Others may argue that the inclusion of parents or lawful guardians as Data Principals for children could create confusion or conflicts over who has the authority to make decisions about the child’s personal data.
About Concur – Harmonizing Data Compliance
Concur is a technology company that provides a suite of enterprise solutions to help organizations manage their data compliance and other business operations. Our solutions include consent management, digital policy management, legacy customer notice guidelines, data principal rights solution, and more. With a focus on innovation and use of blockchain technology, Concur helps enterprises to stay compliant with various regulations such as DPDPB, while streamlining their operations and enhancing overall efficiency. Additionally, they offer dedicated support through their Support Center to ensure customers have the assistance they need to achieve their compliance goals.