India passes a new digital personal data protection bill (DPDPB) that prioritizes users' privacy

The goal of this Act is to establish guidelines for the processing of digital personal data in a way that respects both the necessity to handle personal data for legitimate reasons and the right of persons to have their data protected.

Features of the Bill

• The Bill would be applicable to the handling of digital personal data processed in India, whether the data is obtained online or offline and then converted to digital form.  If the processing is being done to sell products or services in India, it will also apply to processing done outside of India.
• Personal data should only be handled with the individual's permission and for valid reasons.  For some legal purposes, such as the processing by the State in order to process applications for permits, licenses, benefits, and services, or the voluntary exchange of data by a person, consent may not be necessary.
• Data fiduciaries will be required to keep data accurate, safe, and deleted when its purpose has been served.
• The Bill provides individuals with a number of rights, including the ability to request information, seek rectification and erasure, and file a grievance.

The following seven principles form the basis of the Bill:

1. The idea that personal data should only be used with consent, legally, and openly
2. The concept of purpose limitation (only using personal information for the purposes mentioned at the time the Data Principal gave consent)
3. The idea of data minimization (collecting just the minimum amount of personal information required to fulfill a certain goal)
4. Assuring the quality and currectness of the data
5. The idea of limited storage (just keeping data for as long as it's required for the intended use)
6. The idea of practical security measures
7. The idea of accountability (by deciding on data breaches and violations of the Bill's provisions and imposing fines for the violations)

Conclusion:

The legal framework mandates that information be processed "only for a lawful purpose upon an individual's consent" and that it be stored only as long as is necessary for the specified purpose. This approach is applicable to personal data that is gathered inside and outside of India, both online and offline (and afterwards digitalized).
Users should be given notice of the intended processing of their personal data along with or prior to requests for their express consent.