Digital platforms like apps and websites will have a list of tasks ahead of them once the Digital Personal Data Protection Bill, 2023, gets enacted. They may need to build several functionalities and revamp some of their data-handling processes.
The government has introduced the Digital Personal Data Protection Bill, 2023, in the Lok Sabha to outline the lawful collection, processing and safeguarding of private data, and penalties of up to Rs 250 crore in case of data breaches.
Every platform will need to take unconditional and informed consent from users for processing their data.
They will also need to provide a notice explaining the purpose of data processing and the rights of users.
Experts believe the compliance burden will initially be more for consumer-facing organisations that handle personal information.
“The companies handling digital personal data may need a platform to manage different privacy activities, to monitor if consent is being properly collected and applied.
Upon a request from a user, they may need to provide a copy of their information. Above a certain load, you have to start thinking about automating,” said Nader Henein, research vice-president, Privacy & Data Protection at Gartner.
According to the Bill, the platforms must obtain verifiable consent of the parent before processing any personal data of a person below 18 years and in cases of persons with disability, consent from lawful guardians.
Henein said this will be a complex task.
“We have seen tools like facial recognition to verify a person’s age or a video verification by parents authorising their child to use a service. So, this is a very difficult one but I think it’s very important,” he said.
The notice for users before collecting their data has to be made available in all 22 official languages. Experts say this may lead to the rise of multilinguality features in the form of notices as well as consent.
Apart from this, the clause that requires the erasure of the personal data of a user in case they withdraw their consent would be a very complex task for the platforms.
“The platforms will need to think through how they are drafting the purpose of data collection to be mentioned in the request to consent. The platforms that are already processing personal data will now need to implement processes to obtain user consent within a reasonable timeline,” said Aparna Gaur, Leader of IP, Technology, Media and Education at Nishith Desai Associates.
The Bill also requires platforms to disclose any data breach that happens on its end. Failing this, they may face penalties up to Rs 200 crore.
“Currently there is no requirement to notify the users in case of cybersecurity incidents, but the Bill says the platforms must notify users in case of a data breach. As of now, this is not followed by many platforms and it will be a big change in their conduct,” Gaur said.
