The Digital Personal Data Protection Act, 2023, after coming into force in India soon, has marked a significant milestone in the country”s data protection landscape. As this law prepares to roll out, here are five key questions answered about its implications for individuals:
- When can an entity process your personal data?
Entities, both government and private, can process an individual”s personal data under two circumstances: with clear consent or for specific “legitimate uses.” Consent must be accompanied by a notice provided in all 22 languages specified in Schedule 8 of the Constitution. Users can consent directly to businesses, or a consent manager can be used. Legitimate uses also allow data processing.
- What happens to your personal data collected before this law?
Entities that collected personal data before the law”s enactment must provide users with a notice as soon as reasonably practicable. This notice should include details about the data being processed, purposes, consent withdrawal, and grievance redressal. However, certain specifics, such as data storage duration and sharing with third parties, are not mandatory in the notice.
- How will your interactions with apps change due to this law?
Once the law takes effect, users can expect consent notices from downloaded apps. Users can withdraw consent and request data deletion. However, entities may retain data for law enforcement purposes, potentially delaying deletion. Users have the right to access, correct, and nominate individuals for data decisions.
- Will your rights be restricted?
- Certain roadblocks limit the rights prescribed in the law:
- Government exemptions for national security, relations with other governments, and public order.
- Processing of data for legitimate uses, with no need for informed consent.
- Voluntarily disclosed personal data is not protected.
- What happens in case of a data breach?
The law grants individuals the right to grievance redressal. Both government and private entities must report data breaches to individuals and the data protection board. Fines can be imposed for entities failing to notify breaches or lacking reasonable security safeguards.
With the implementation of the Digital Personal Data Protection Act, individuals in India will experience changes in data protection, privacy rights, and interaction with businesses and apps. Understanding these aspects is crucial in navigating the evolving data protection landscape.