Data usage and ground-rules: Inside India's new Digital Personal Data Protection framework

economictimes.indiatimes.com:

DPDP) Act passed by Parliament in the just-concluded monsoon session. The law arms individuals with greater control over their data while allowing companies to transfer users' data abroad for processing, except to nations and territories restricted by the Centre through notification.

It also gives the government power to seek information from firms and issue directions to block content. While the new law seeks to establish a robust framework for the protection of personal data in the digital realm, it has drawn criticism from some quarters over broad exemptions granted to state entities and some of its provisions diluting the landmark Right to Information (RTI) law.

The new legislation comes after the government, last year, withdrew a December 11, 2019 bill that had alarmed tech companies like Facebook and Google with its proposals for stringent restrictions on cross-border data flows.Here are key takeaways from the freshly-minted, landmark law:Obligations of data fiduciary: Data fiduciaries, which are entities collecting and processing personal data, are required to obtain free, informed and unconditional consent from individuals before processing their data. Data must be deleted when its purpose has been fulfilled or consent is withdrawn.

Entities must protect personal data in their possession by taking reasonable security safeguards to prevent a data breach, and alert Data Protection Board of India and affected persons when data breach occurs. A Data Fiduciary has to publish the contact information of a Data Protection Officer or a person who will answer questions about the processing of personal data.