Before we understand the Data Protection Bill, let’s understand some important terms and what they mean.
Data Principal
The person or entity whose data it is.
If you use an app, your usage data is analysed by the app.
In this case, you are the data principal and the app is the data fiduciary. The data that the app has about you is called “data” in this Act.
In this article, we use the term “User” for the legal term – Data Principal. User Umesh will be used as an example.
Data Fiduciary
Fiduciary means – related to trust.
The entity that is using the data of the user has been trusted by the user.
So, that entity is the data fiduciary.
For example, suppose you take a home loan. The bank takes your information to process and approve the loan.
In this case, you are the data principal and the bank is the data fiduciary.
In this article, we use the term “App” for the legal term – Data Fiduciary. We use App A as an example.
Every person owns their data.
Important provisions of the Act
Clear and itemised information in 22 Indian Languages
1. The owner of the data will get information in clear and plain language about:
A. What data will be collected
B. Why will it be collected.
It will be necessary to specify WHY each piece of data is being collected.
If the user does not understand English, they can ask for this information in any of the languages in the 8th Schedule of the Constitution of India. Currently, 22 languages are recognised. These are:
(1) Assamese, (2) Bengali, (3) Gujarati, (4) Hindi, (5) Kannada, (6) Kashmiri, (7) Konkani, (8) Malayalam, (9) Manipuri, (10) Marathi, (11) Nepali, (12) Oriya, (13) Punjabi, (14) Sanskrit, (15) Sindhi, (16) Tamil, (17) Telugu, (18) Urdu (19) Bodo, (20) Santhali, (21) Maithili and (22) Dogri.
The user can ask for information about their data in any of these 22 languages.
Data Protection Officer
The user will give their consent and get the details of a Data Protection Officer, or another person who can be contacted when there are any questions related to the use and/or storage of their data.
Withdrawal of Consent
Giving consent to use data is not forever. The user can say at any time that they don’t want the app to use their data anymore.
This is called withdrawal of consent.
The ease of this withdrawal will be the same as the ease of providing consent.
Only necessary information
App A tells a user to share their name, email id, and phone no. to use the social media app.
There is no reason for App A to use the phone no. of the user. But App A says that if the user does not agree to share phone number, they cannot use the app.
This is illegal under the Act. Only the data required to provide a service needs to be part of the consent.
Necessary to Provide Proof
Umesh uses App A. He finds out one day that the app is collecting his usage behaviour even when he is not using the app.
Obviously, App A does not need to know what Umesh is doing when not using the app, to provide social media services to Umesh.
Umesh goes to court and says that App A never told him that his usage behaviour on other websites or apps will be collected by App A.
App A says that they did tell Umesh this and Umesh consented (agreed).
Now, the burden of proof is on App A. App A will have to prove that they did provide this information in a simple way and that Umesh specifically agreed to it.
This is the first of a 3-part explainer.
2 Replies to “India’s Data Protection Act – Explained”
Comments are closed.