Digital India Act: IT Rules in India Explained

The Ministry of Electronics and Information Technology (MeitY) has prepared a draft Bill, titled the Digital Personal Data Protection Bill 2022 and has invited feedback from the public.

The draft Bill sets out the rights and duties of the citizen and the obligations of the Data Fiduciary to use the collected data lawfully.

As part of the compliance framework, it envisages the setting up of a Data Protection Board of India to determine non-compliance with the provisions of the draft Bill, impose penalty for such non-compliance, and perform such other functions as the Central Government may assign to it under the provisions of the draft Bill or any law.

Currently, the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011, made by the Central Government in exercise of its powers under the Information Technology Act 2000, provide the security practices and procedures that a body corporate or any person collecting,

receiving,

possessing,

storing,

dealing or

handling information on behalf of the body corporate is required to observe for protecting personal data of users.

These practices and procedures include the requirements that such body corporate or person publish on the website a policy for privacy and disclosure of personal information, data or information, to use information collected for the purpose for which it has been collected, to keep it secure and to obtain prior permission of the information provider for disclosing personal data.

 MeitY officials have said the new draft strikes a delicate balance and factors in learning from global approaches, while staying aligned to the Supreme Court’s ruling on privacy as a fundamental right, but within reasonable restrictions.

You have the right to find out what information the government and other organisations store about you. These include the right to: be informed about how your data is being used and how thy accessed personal data.

It provides a framework for a strict user-consent regime for data processing, as well as a penalty of up to Rs 500 crore for data breaches by social media and internet companies.

Data can be both - personal data is collected from Data Principals online; and (b) such personal data collected offline, is digitized.

The Data Principal shall have the right to obtain from the Data Fiduciary: (1) the confirmation whether the Data Fiduciary is processing or has processed personal data of the Data Principal; (2) a summary of the personal data of the Data Principal being processed or that has been processed by the Data Fiduciary and the processing activities undertaken by the Data Fiduciary with respect to the personal data of the Data Principal; (3) in one place, the identities of all the Data Fiduciaries with whom the personal data has been shared along with the categories of personal data so shared; and (4) any other information as may be prescribed. 13. Right to correction and erasure of personal data (1) A Data Principal shall have the right to correction and erasure of her personal data, in accordance with the applicable laws and in such manner as may be prescribed. (2) A Data Fiduciary shall, upon receiving a request for such correction and erasure from a Data Principal: (a) correct a Data Principal’s inaccurate or misleading personal data; (b) complete a Data Principal’s incomplete personal data; (c) update a Data Principal’s personal data; (d) erase the personal data of a Data Principal that is no longer necessary for the purpose for which it was processed unless retention is necessary for a legal purpose.

The Central Government will establish a Board to be called the Data Protection Board of India which will decide any issues related to data breach/.

The allocation of work, receipt of complaints, formation of groups for hearing, pronouncement of decisions, and other functions of the Board shall be digital by design. (2) The strength and composition of the Board and the process of selection, terms and conditions of appointment and service, removal of its Chairperson and other Members shall be such as may be prescribed. (3) The chief executive entrusted with the management of the affairs of the Board shall be such individual as the Central Government may appoint and terms and conditions of her service shall be such as the Central Government may determine. (4) The Board shall have such other officers and employees, with such terms and conditions of appointment and service, as may be prescribed. (5) The Chairperson, Members, officers, and employees of the Board shall be deemed, when acting or purporting to act in pursuance of provisions of this Act, to be public servants within the meaning of section 21 of the Indian Penal Code. (6) No suit, prosecution or other legal proceedings shall lie against the Board or its Chairperson, Member, employee, or officer for anything which is done or intended to be done in good faith under the provisions of this Act.