Now that president Draupadi Murmu has given her assent, the Digital Personal Data Protection (DPDP) Bill, 2023 in effect is the law of the land. What changes would it bring to our daily life?
Here's a detailed look at the DPDP law:
The Union government introduced the revised DPDP Bill in the Parliament envisaged to protect data after prolonged deliberations that went on for a span of over six years.
So how would the new legislation change our lives. Let's have a look at a few instances:
Purpose limitation
Several shops ask for customers' phone numbers while billing and so on. If suppose, you have provided your phone number for receiving the e-bill, the establishment could use your phone number only for forwarding the bill. It cannot forward promotional messages. This is called 'Purpose Limitation'.
Business establishments can still send promotional messages, provided they have the consent of the customer. However, they have to apprise the customer of the purpose of the data collected, how the consent could be withdrawn, and who to approach in case of a complaint.
If the customer does not want to receive messages after giving consent, they could easily withdraw it by sending an e-mail to the establishment's consent manager/data protection officer. Once the consent is withdrawn, the establishment has to remove the customer's information from its database.
Needed: Parent's consent
Individuals aged below 18 will have to get their parents' consent to register on websites or apps. For instance, if a 15-year-old girl or boy wants to sign into Facebook, the social media platform should accept her/his parents' verifiable consent. OTP or ID verification methods will be implemented as part of the verification process.
It means that in the future when a child tries to sign in, the registration will be completed only after providing the OTP forwarded to her/his parent.
Currently, anyone aged 13 or above can create a Facebook account without restrictions, once the individual self attests her/his age. In the future, however, it will not be possible.
The government can relax the norms if it is convinced that a firm is securely handling children's data. However, sources in the Ministry of Information Technology said the relaxation will not be extended to social media platforms.
The relaxation will mostly be for educational and skill development purposes. Firms providing such services will have to strictly and securely complete all the processes, including KYC.
Advertisements for children
Advertisements pop up based on our search history. However, the DPDP Bill prohibits companies from advertising to children based on their search history or page visits. Additionally, companies cannot track children's activities based on their Internet transactions.
For instance, if a child regularly searches for 'Racing Game,' Google cannot use her/his search data to advertise and promote a racing game firm. If a child searches for 'Barbie Doll', suggestions on Barbie Doll should be pushed when s/he opens Flipkart or any other e-commerce platform.
Facebook and old data
If you are already signed into Facebook, you will soon receive a notification from the social media giant via e-mail or app, regarding your data it already has and the purposes for which it has been used. Additionally, the social media platform will be bound by law to provide you with the process by which you could withdraw the data, details of the grievance redressal officer, etc.
However, Facebook could use your data until you withdraw the permission to use it.
No unnecessary data
Consider this scenario. You are registering on a hospital's app to consult a doctor, and you are requested access to your contact list. And you grant permission without a second thought. However, since the contact list is not required to consult the doctor, the right/permission to access it will be rendered invalid.
In short, companies could seek only the relevant data. Additionally, the data collected should be deleted once the purpose is served.
Agency's role
Suppose, your mobile phone service provider has assigned an agency to send you the bills. If you have an app option, and if you select the option, the agency should immediately stop processing your data. Additionally, it has to delete the data. However, the DPDP Bill does not have a provision preventing the service provider from sharing your data with the agency.
RTI and DPDP
An RTI application seeking information on a corrupt official may be rejected. The government can deny the information saying it has personal data. The amendment is repealing the provision to gather personal information (Section 8-J). The provision against denying an individual any information that Parliament cannot deny, too, would be repealed.
Ask the firms
If you have an account on X (previously Twitter), you have the right to the company about the data in its possession, and the firm is bound to provide the information. However, you cannot seek the same information from government institutions. You can even ask establishments to make corrections or changes to the data in their possession.
What happens to data after death?
Today, data is as precious as wealth. You can name a nominee to handle your data as in the case of wealth. The Bill has a provision allowing the citizens to name a nominee to handle their data after death.
Data leak
In the current situation, you may not know if your data leaks from a company. However, the DPDP Bill mandates the company to inform you and the Data Protection Board about the leak. Failure to do so will invite a hefty fine of up to Rs 200 crore. This clause, however, does not apply to government institutions.
Free use for government
The government can use personal data provided while registering on its website or app to see if the individual is eligible for any other schemes. Personal data in the government's online database or registers or those that will be digitalised in the future could be used to check eligibility for other schemes. However, this right does not apply to private firms.
Citizens can be penalised
If you approach the Data Protection Authority with false claims of data leak from a company, you can be slapped with a fine of up to Rs 10,000. The Bill has included provisions to penalise citizens if the norms are breached.
The norms include the citizens' duties. Impersonification, hiding information, lodging false and silly complaints with the Data Protection Authority, and providing incorrect information while utilising the right to correct data already provided could invite a penalty.
Other examples
• While checking in, a hotel will have to get your permission to maintain a scanned soft copy of your Aadhaar card. If the copy is leaked, the hotel could be penalised. However, if the hotel is keeping a hard copy, it will not come under the new digital law.
• Using the phone number provided while booking a room for marketing purposes will be against the law. If the number collected is used for marketing purposes, the phone user should be informed in advance.
• Banks should inform the customer of the purpose of taking the photostat copies of ID documents while opening an account.
• Users have the right to know the purpose for which Facebook asks for personal information, including date of birth.
• If the data provided is withdrawn, the office concerned has the right to stop the services.
Listen to I-T Returns 101: Dos and Don'ts of claiming rent, home loan exemptions | News Brake Ep 75 to know more about the rights and wrongs of claiming exemptions like HRA and housing loan interest.
