Does the bill protect our personal data? To an extent. Firms scraping data from social media can only take data that has been posted by the user themselves. If the data is posted by a third person, however, firms will need to obtain permission for scraping this data.
The bill also restricts storage and processing of personal user data, beyond what a user explicitly gave consent for. This can significantly complicate the consent-taking procedure that most companies follow right now. Hence, while it does permit personal data usage, it also limits it.
However, exemptions afforded to companies to withhold personal data for law enforcement could be misused. Are governments and firms exempted? Yes, and this point is expected to be debated in the coming days. On companies, experts said that the DPDP bill lacks any review mechanism or appeal process for tech firms if the central government orders them, addressed as ‘significant data fiduciaries’ in the bill, to furnish the data.
Section 10(1) of the bill also lists out a number of broad clauses under which it can ask companies to produce personal data, which include “risks to the rights of data principal", “impact on the sovereignty and integrity of India", “risk to electoral democracy", “security of the State", etc. What happens in case of complaints? The Telecom Disputes Settlement and Appellate Tribunal under a Data Protection Board will handle grievances. This has raised questions.
Some question if the body has the expertise to assess and gauge the impact of breach of consent of personal data. Others cite this as a missed opportunity to set up a dedicated authority to handle grievances. What’s the approach to data transfers? Previous drafts had suggested a ‘whitelisting’
. Read more on livemint.com