In the previous post, we covered definitions and some key concepts linked to citizen data.
In this post, we continue to understand the key provisions of the Act.
Can’t Keep Old Data
Umesh uses App A for about six months and then deletes his account.
App A will have to delete all the data of Umesh after the legal period for which the data needs to be kept.
Need to Inform
Today, when a data breach happens, the website or app is not required to inform a user.
But now, every company will have to necessarily inform the country’s Data Protection Board and every individual user whose data was likely breached.
Currently, there is no time limit within which the company must inform. That is likely to come in the Rules related to the Act.
Grievance process required for all Data Fiduciaries
All apps will have a process to manage the grievances of the user.
There is no time limit on how quickly the grievances need to be resolved.
There is no provision of a compensation to the user for breach of user data or a grievance.
If the user is not happy with the grievance management, they can make a complaint to the Data Protection Board. If they are not happy with the decision of the Data Protection Board also, they can then file a case in the High Court directly.
Subcontracting is allowed
Suppose Umesh gives his data to Bank A for processing a loan. Bank A subcontracts the work of loan application verification to DataZ Inc.
DataZ Inc, in turn, subcontracts this work to ABC Data Processors Limited.
All such subcontracting is allowed under the Act and the user’s data can be shared with all such subcontractors.
Data of Children
Can only be collected after consent from the parent or legal guardian.
Cannot do tracking of behavioral monitoring of children.
Cannot do targeted advertising to children.
There is no mechanism to identify when a user is a child.
This series is continued – Part III is here.
2 Replies to “Part 2: India’s Data Privacy Act Explained”
Comments are closed.