It is important to understand the terms and their meaning to decode the bill in its correct form, so chapter one is about establishing fundamental meanings to the terms used from the bill perspective:
Digital Personal Data Protection Bill 2022
‘Personal Data‘, the complete bill is designed to protect an individual from any misuse or overuse of his/her data by any entity that has access or holds the data. The term ‘Personal Data’ can be understood as any data that can identify or can be a direct reference to identify an individual. ‘Personal Data’ is the core that the bill protects and everything in the bill is designed to ensure that there is no misuse of data and has sizeable punishment for any such breach of agreement between the individual and the entity.
‘Children Data’ is clearly classified in the bill and the bill has imposed specific obligations on entities while dealing with data related to children. A Child is defined as any living human that has not attained 18 years of age.
The Individual is termed as ‘Data Principal’ in the bill, however, the term used globally is ‘Data Subject’. This may be confusing for global brands from their policy perspective but the term defines any individual whose ‘Personal Data’ is the cause of action.
The entity or organization that determines the purpose and means of the processing of the Personal Data is termed a ‘Data Fiduciary’. Effectively the company who collects or on whose part the Personal Data is collected, Processed and Stored. The bill also has a provision for the term ‘Data Processor’.
Readers should be clear that the terms ‘Data Fiduciary’ and ‘Data Processor’ are different and cannot be used interchangeably. ‘Data Processor’ means a person or entity that processes the ‘Personal Data’ on part of the ‘Data Fiduciary’, the term would involve Vendors, Partners, Outsourced entities etc.
The bill covers all sorts of data that is made available in digital form including physical data that is digitized, for example, any paper that contains information and is scanned to a digital format shall also be governed as ‘Digital Data‘.
Under this proposed regulation all entities are mandatorily required to provide the ‘Data Principal’ or the Individual information regarding what data shall be collected? How will it be stored? How and for what will this data shall be processed?.
This communication has to be done in a manner that should be simple for the Individual and he/she should have access to these parameters free of cost. The term for this is defined as ‘Notice’ in the bill. This ‘Notice’ can be a separate document or an electronic form or part of the same document in or through which ‘Personal Data’ is sought to be collected. It is essential that this ‘Notice’ is drafted in a simple-to-understand language and itemized in nature so that the Individual is aware of the nuances of the ‘Notice’ before providing ‘Consent’.
A ‘Consent’ has to be obtained from the ‘Data Principal’ or the Individual before collecting, storing, or processing any ‘Personal Data’ by the entity. The entity is clearly in breach of this regulation if ‘Consent’ is not expressly obtained from the ‘Data Principal’.
While the bill empowers an entity to collect data as agreed in its ‘Notice’, it clearly defines restrictions for all three stages involving collection, storage, and processing. The bill also provides for a grievance redressal mechanism through the appointment of a DPO or a Data Protection Officer, who shall be a person responsible to the management of the entity and shall act as an officer to provide resolution for complaints in regards to use and misuse of data.
Watch out for this space for further chapters on the new bill that is going to redefine today’s digital world!