Cabinet clears Data Protection Bill

The Data Protection Bill will be be introduced in the Monsoon Session of Parliament, due to begin on July 20

Updated - July 05, 2023 11:00 pm IST - NEW DELHI

The Digital Personal Data Protection Bill outlines practices for entities on how personal data should be stored and processed to ensure there is no breach.

The Digital Personal Data Protection Bill outlines practices for entities on how personal data should be stored and processed to ensure there is no breach. | Photo Credit: Getty Images/iStockphoto

The Union Cabinet on Wednesday cleared the Digital Personal Data Protection (DPDP) Bill, a senior government official said. The clearance paves the way for the Bill to be introduced in Parliament in the upcoming Monsoon Session, scheduled to begin on July 20. Along with the data protection law, the Union government may also table the Indian Telecommunications Bill, a draft of which was circulated in a public consultation last year. The telecom Bill would overhaul the Telegraph Act, which is the legal framework for telecom firms and internet service providers.

The data protection legislation specifies norms on management of personal data of Indian residents and requires explicit consent from people whose data is collected and used.

The official said that over 20,000 comments were received on the draft Bill though these will not be put out in public domain. He also said that there has not been much change between the draft that was circulated in public consultation and the final Bill, which will be tabled in the parliament. The Union government has refused to provide copies of comments from industry, civil society, and government bodies on the Bills in response to Right to Information requests.

The Bill essentially allows laypersons to complain to the Data Protection Board of India, consisting of technical experts constituted by the government, if they have reason to believe that their personal data has been used without their consent - for example, cell phone numbers or Aadhaar details. “The Board will institute an investigation into the breach,” the official said.

It is not clear what changes, if any, have been made to the DPDP and telecom Bills following consultation processes. Minister of Electronics and Information Technology Ashwini Vaishnaw said in May that the telecom industry had held extensive meetings with the Union government after the public draft of DPDP Bill was released in November.

The DPDP Bill also outlines practices for entities that collect personal data, how that data should be stored and processed to ensure there is no breach, as well as rights of the persons whose data is being used. The Bill draws from an EU law - The General Data Protection Regulation - and benchmarks 23 instances in which taking consent for recording data is not possible. “These are special circumstances like golden hour during an accident or natural disasters and so on,” the official said.

The official further said that the Bill has a clause for offering voluntary undertaking in case an entity wants to admit that a breach has occurred and pay penalty as mitigation measure to avoid court litigation. “Penalty of up to ₹250 crore could be levied for each instance of breach with an upward revision of ₹500 crore,” the official said. Fines for individual offences would begin from ₹10,000.

The fines would be levied by the Data Protection Board of India, which would be set up under the Act. “A penalty of ₹500 crore would apply in case of data breaches,” the official said.

Globally, 90-95% cases are settled at grievance redressal stage, added the official. “In the EU, this law took 10-12 years to evolve, we believe evolution in India will also take time,” the official stated. However, if the aggrieved party (individual whose data is breached) wants to seek compensation they will have to move the courts and resort to the judicial process, the official added.

In an ecosystem where artificial intelligence is rapidly evolving and Chat GPT scrapes data from social media platforms to test its models, the official added that the upcoming Bill is “tech agnostic” and “would cater to the world we are in today”.

As per the latest draft, courts and law enforcement agencies enjoy wide exemptions from key requirements, as the Bill’s requirements do not apply when “personal data is processed in the interest of prevention, detection, investigation or prosecution of any offence or contravention of any law” or “the processing of personal data by any court or tribunal or any other body in India is necessary for the performance of any judicial or quasi-judicial function”.

Right to Information activists have raised concerns on an amendment to the RTI Act, 2005 in the DPDP Bill that would prohibit government departments from sharing “personal information”, arguing government departments may refuse to share information that could hold public officeholders accountable.

“Any personal data will not be shared with a third party, however a person whose data has been breached can ask for their own information through RTI,” said the official.

The Bill comes after multiple versions floated by the Union government, a process that was started way back in 2017 with the K.S. Puttaswamy vs. Union of India judgement, which declared that right to privacy was a fundamental right as part of right to life and liberty under Article 21 of the Constitution.

Retired Justice B.N. Srikrishna, who headed the first committee formed in 2018 to draft a data protection Bill, has disavowed the latest draft, telling the news portal Inc42 in November that the Bill “gives too much margin to the government and does little to protect individuals’ fundamental right of data privacy”.

0 / 0
Sign in to unlock member-only benefits!
  • Access 10 free stories every month
  • Save stories to read later
  • Access to comment on every story
  • Sign-up/manage your newsletter subscriptions with a single click
  • Get notified by email for early access to discounts & offers on our products
Sign in

Comments

Comments have to be in English, and in full sentences. They cannot be abusive or personal. Please abide by our community guidelines for posting your comments.

We have migrated to a new commenting platform. If you are already a registered user of The Hindu and logged in, you may continue to engage with our articles. If you do not have an account please register and login to post comments. Users can access their older comments by logging into their accounts on Vuukle.