Digital Data Protection Act 2023 (India)
Digital data protection refers to the practices, technologies, and policies designed to safeguard digital information from unauthorized access, corruption, theft, or loss. It encompasses a range of strategies and tools aimed at ensuring the confidentiality, integrity, and availability of data. Here are some key aspects:
Key features:-
- Applicability
● The Bill applies to the processing of digital personal data within India where such data is:
(i) collected online – (eg :- Facebook data)
(ii) collected offline and is digitized. (eg :- data collected while entering a building then stored digitally )
● It will also apply to the processing of personal data outside India if it is for offering goods or services in India - Consent
● Personal data may be processed only for a lawful purpose after obtaining the consent of the individual.
● A notice must be given before seeking consent. (eg : – the terms and condition which takes our consent)
● Consent may be withdrawn at any point in time. - Rights and duties of data principal (individual)
An individual whose data is being processed (data principal), will have the right to:
● obtain information about processing
● seek correction and erasure of personal data
● nominate another person to exercise rights in the event of death or incapacity - Obligations of data fiduciaries (the one collecting the data)
The entity determining the purpose and means of processing, (data fiduciary), must:
● make reasonable efforts to ensure the accuracy and completeness of data, build reasonable security safeguards to prevent a data breach.
● inform the Data Protection Board of India (DPBI) and affected persons event of a breach. - Transfer of personal data outside India
● The Bill allows transfer of personal data outside India, except to countries restricted by the central government through notification.
● The central government will establish the Data Protection Board of India to adjudicate on non-compliance with the provisions of the bill. - Data Protection Board of India
The central government will establish the Data Protection Board of India.
Key functions of the Board include:
(i) monitoring compliance and imposing penalties
(ii) directing data fiduciaries to take necessary measures in the event of a data breach
(iii) hearing grievances made by affected persons
The DPB has the authority to
(i) inspect documents of companies handling personal data
(ii) summon and examine individuals under oath
(iii) recommend blocking access to intermediaries that repeatedly breach the bill’s provisions.
Need for this bill?
● Data breaches are becoming regular occurrences.
● It was reported in June 2023 that a major privacy breach with respect to the Cowin portal had taken place.
● Personal details of vaccinated users had been leaked on Telegram
● Recently, in July 2023, about 12,000 confidential records of State Bank of India employees were reportedly made public on Telegram.
● In view of this, a cause of great concern that arises in the Bill is the exemption under Clause 17(2)(a) which, if notified, is granted to the government and its authorities.
General Data Protection Regulation (EU)
GDPR stands for General Data Protection Regulation. It’s a set of rules created by the European Union (EU) to protect the personal information of individuals.
- Protection of Personal Data:
- GDPR focuses on safeguarding the privacy and personal data of people within the EU.
2. User Consent:
- Companies must obtain clear permission (consent) from individuals before collecting or using their personal information.
3. Transparency:
- Organizations are required to be transparent about how they collect, process, and store personal data. This includes informing individuals about the purpose of data collection.
4. Individual Rights:
- GDPR grants individual’s certain rights, such as the right to access their data, correct inaccuracies, and even request the deletion of their information.
5. Data Security:
- Companies must implement measures to ensure the security and confidentiality of the personal data they handle.
6.Notification of Breaches:
- In case of a data breach that could jeopardize individuals’ privacy, companies are obligated to notify both the affected individuals and relevant authorities.
7. Children’s Privacy:
- Extra protections are in place for the personal data of children, and parental consent is often required for collecting data from minors.
8. Global Applicability:
- While it originates from the EU, GDPR can affect companies around the world if they process the personal data of individuals within the EU.
9. Penalties for Non-Compliance:
- Companies failing to comply with GDPR may face significant fines, highlighting the seriousness of data protection.
Privacy Protection Acts (USA)
The United States does not have a comprehensive federal data protection and privacy law applicable to all sectors. Instead, the U.S. has a combination of sector-specific laws, state laws, and industry self-regulation that govern data protection and privacy.
- Sector-Specific Laws:
- Health Information (HIPAA): The Health Insurance Portability and Accountability Act (HIPAA) was enacted to safeguard individuals’ health information. It applies to healthcare providers, health plans, and healthcare clearinghouses. HIPAA sets standards for the security and privacy of protected health information (PHI) and outlines the responsibilities of entities handling such information.
- Financial Information (GLBA): The Gramm-Leach-Bliley Act (GLBA) focuses on the protection of consumers’ non-public personal information held by financial institutions. It requires financial institutions to implement measures to ensure the security and confidentiality of customer information.
- Children’s Privacy (COPPA): The Children’s Online Privacy Protection Act (COPPA) addresses the online collection of personal information from children under 13. It imposes requirements on operators of websites or online services directed at children to obtain parental consent and provides guidelines for the treatment of children’s personal information.
2. State Laws:
- California Consumer Privacy Act (CCPA): The CCPA is a landmark privacy law in California that grants residents specific rights over their personal information. It allows consumers to know what personal information is collected about them, opt-out of the sale of their information, and request the deletion of their data, among other rights.
- Other State Laws: Various states, such as Virginia and Colorado, have introduced or enacted their own privacy laws. These laws may include provisions similar to the CCPA, but there can be variations in terms of scope and requirements.
3. Industry Self-Regulation:
- In some sectors, industry-specific organizations or associations establish self-regulatory standards and guidelines for the responsible handling of data. These standards are often tailored to the unique needs and practices of a particular industry.
4. Proposed Federal Legislation:
- Several proposed bills at the federal level aim to create a comprehensive data protection and privacy framework. These bills often seek to establish a set of consistent rules applicable across all sectors, providing individuals with more control over their personal information and imposing obligations on businesses regarding data practices.
5. Federal Trade Commission (FTC):
- The Federal Trade Commission (FTC) is a key federal agency responsible for protecting consumers and promoting competition. While the U.S. lacks a comprehensive privacy law, the FTC has the authority to take enforcement actions against companies engaging in unfair or deceptive practices related to privacy. The FTC’s actions often focus on cases where companies fail to uphold their privacy promises or engage in practices that harm consumers.