For about five years now, the Indian government has been trying to work on passing a data protection law. Different versions of this law were drafted, discussed and debated in the media, among activists, academic and research circles and between various government departments. These different versions that were floated, introduced several new terms and concepts that may have been difficult to grasp, but nevertheless very important to know as it pertains to the basic rights of individuals online.
To understand these terms and stay up to date with the latest draft Digital Personal Data Protection Bill, 2022 and share your feedback with the government, below are some answers to frequently asked questions.
You can even take this quiz to understand if you agree with the government’s draft bill a not. Answer these simple questions and find out!
What are personal data and sensitive personal data?
Personal data means any information that relates to a person which is capable of identifying them. For example your home address or your email ID could be your personal data.
Sensitive personal data is not defined under the draft bill, but other existing Indian laws list down what kinds of information would be considered sensitive personal data. Essentially, it is any data that reveals a person’s
- Password
- Financial information, like bank account, credit card, debit card, etc
- Physical, physiological and mental health condition
- Sexual orientation
- Medical records and history
- Biometric information
- Any of the above information legally held or stored by a company
For example, your UPI ID or Aadhar card number would be sensitive personal data.
What do you mean by processing of data?
Processing of data means an automated operation or set of operations performed on digital personal data. This operation can include activities collection, recording, organisation, structuring, storage, adaptation, alteration and related activities with respect to data. It can also include making the data available, restricting it, erasing it or even destroying it.
Who is a data principal?
A data principal is a person to whom the personal data relates.
Who is a data fiduciary?
A data fiduciary is a person or a group of people who determine the purpose and manner of processing an individual’s personal data. It could be a service provider like Google, that collects information from its users and then determines what their information is going to be used for.
What do you mean by a personal data breach?
A personal data breach is when an unauthorised processing of personal data takes place that compromises the confidentiality, integrity or availability of personal data. It would also include accidental disclosure, acquisition, sharing, use, alteration, destruction or loss of access to personal data.
What is data localisation?
Data localisation is a process that requires the personal data of a country’s residents to be collected, processed and stored inside the territory of the country, usually before being transferred internationally. The process was considered by the older version of the draft bill, but at present this requirement has been done away with. Instead of this, transfer of personal data with certain countries will now be allowed based on assessment of some factors.
What is deemed consent?
The draft bill lists down certain situations where the data fiduciary need not take consent from the person whose personal data they would be processed. In such situations, it will be assumed that a person has given their consent. These situations are listed under Section 8 of the draft bill.
What is surveillance? Are citizens protected from unreasonable surveillance under the draft bill?
Surveillance hasn’t specifically been defined under the draft bill, however in literal terms it means close observation of a person or group of persons. There isn’t a specific law governing surveillance either.
The earlier versions of this draft bill had specifically listed unreasonable surveillance on part of the government and the harm caused by it, but the current version does not provide such provisions.
What is purpose limitation?
While introducing the draft bill, the Ministry also released an explanatory note to provide context to the draft and list down ideas and principles on which the provisions were based. One of the provisions was purpose limitation. According to this principle, personal data which is collected should only be utilised for the purpose it was collected and not for anything beyond that. However, there is no provision in the bill to reflect such a restriction on data use.
What is data minimization?
Data minimization is also one of the principles listed in the explanatory note but does not reflect it in any of the sections of the draft bill. According to the principle of data minimization, only data that is required should be collected and nothing more.
What is storage limitation?
Storage limitation is also one of the principles listed in the explanatory note but does not reflect in any of the sections of the draft bill. According to the principle of storage limitation, personal data cannot be stored beyond the time period for which it is required.
Now that you are up to speed on the many concepts from the draft bill, be sure to share your feedback with the government. You can do this by reading a summary of the bill and leave your comments on civis.vote.
If you have any more questions, please feel free to reach out to us on info{at}civis{dot}vote.