The bill is aimed at providing for the processing of digital personal data in a manner that recognizes both the right of individuals to protect their personal data and the need to process personal data for lawful purposes.
The central government on Friday uploaded the Digital Personal Data Protection bill for comments and consultation. According to the Ministry of Electronics and Information Technology, the bill is aimed at providing for the processing of digital personal data in a manner that recognizes both the right of individuals to protect their personal data and the need to process personal data for lawful purposes.
The new Bill proposes the following:
* On or before requesting an individual for her consent for access to personal data, the data fiduciary (persons who determine the purpose and means of the processing of personal data) shall give the person an itemised notice in clear and plain language containing a description of personal data sought to be collected and the purpose of the processing of such personal data.
* Consent for access to personal data shall be sought in English or any language specified in the Eighth Schedule to the Constitution of India.
* The individual shall have the right to withdraw consent at any time. The consequences of such withdrawal shall be borne by the individual. The withdrawal of consent shall not affect the lawfulness of processing of the personal data based on consent before its withdrawal.
* If an individual withdraws his or her consent to the processing of personal data, the data fiduciary shall, within a reasonable time, cease and cause its data processors to cease processing of the personal data of that person.
* Every data fiduciary and data processor shall protect personal data in its possession or under its control by taking reasonable security safeguards to prevent personal data breaches.
* Every data fiduciary shall publish the business contact information of a Data Protection Officer or a person who is able to answer on its behalf to individuals' questions about the processing of his or her personal data. Every data fiduciary shall have in place a procedure and effective mechanism to redress the individuals' grievances.
The Bill sets heavy penalties for non-compliance with data protection norms. These include a penalty of Rs 250 crore for failure to take reasonable security safeguards to prevent personal data breach by either those who determine the purpose and means of the processing of personal data (data fiduciary) or those who process personal data on behalf of a fiduciary (data processor)
The Bill further states that the central government shall establish an independent body named the Data Protection Board of India that will, among other aspects, direct the data fiduciary to adopt any urgent measures to remedy personal data breaches or mitigate any harm caused to individuals and determine non-compliance with provisions of this Act.
Read the complete draft Bill