The Union cabinet on Wednesday approved the controversial Digital Personal Data Protection Bill, effectively paving the way for India’s first privacy law. The legislation is likely to be presented during the upcoming monsoon session of Parliament. It proposes stringent penalties, with fines of up to Rs 500 crore for individuals and companies that fail to prevent data breaches, including accidental disclosures, unauthorised sharing, and tampering or destruction of personal data. Additionally, the legislation mandates obtaining consent before collecting personal information.
Companies involved in data breaches can now voluntarily disclose the breach as a form of plea bargaining. By coming forward and admitting to any breach, these companies can rectify the situation by paying the corresponding penalty. The eagerly awaited draft also decriminalises most provisions related to data breaches, designating the Data Protection Board (DPB) as the central authority responsible for imposing penalties in such cases.
READ | Corporate debt: Indian firms raise capital expenditure amid challenges
Digital Personal Data Protection Bill
The government had initially introduced a draft bill in November, which underwent several rounds of public consultations. Privacy activists heavily criticised the draft for granting broad exemptions to the Union government and its agencies, while also diluting the role of the data protection board. A revised draft was prepared based on the feedback received during the consultations which subsequently underwent inter-ministerial discussions. Various stakeholders, including technology companies and privacy activists, recommended further refinements to eliminate the possibility of misuse.
One provision in the draft Bill, known as “deemed consent,” allows government departments to assume consent for processing personal data on grounds of national security and public interest. This provision raised concerns among opposition members, who feared it could undermine the independence of the proposed data protection authority. They cited instances where government pressure compromised the autonomy of institutions such as NCERT and the Election Commission. However, the government has now assured that the DPB will primarily comprise independent industry experts rather than government officials. Additionally, the DPB will serve as the secondary adjudicatory body for all matters related to digital personal privacy and data, with the initial point of contact being the grievance redressal cell of companies.
The proposed law will establish a legal framework for safeguarding personal data of Indian citizens. It also creates a data protection authority (DPA) to oversee the implementation of the law. It sets guidelines for the collection and storage of personal information. The government looks to establish a regulatory agency to monitor the implementation of the law.
The origins of the Bill can be traced back to the 2017 Puttaswamy judgment of the Supreme Court which recognised privacy as a fundamental right of Indian citizens. This landmark ruling initiated a five-year process to develop data protection legislation in India, resulting in four versions of the Data Protection Bill. However, activists expressed concerns about the government’s potential access to personal data through various provisions in the bill.
The bill holds significance within the government’s broader framework of technology regulations, which includes the proposed Digital India Bill, a successor to the Information Technology Act of 2000, the Indian Telecommunication Bill of 2022, and a policy governing non-personal data.
The bill contains provisions to liberalise data transfer conditions, allowing global data flows to jurisdictions beyond a specified negative list of restricted countries. The government is yet to identify the countries or territories where personal data of Indian citizens can be transferred. This provision aims to ensure business continuity for enterprises and position India as an integral part of the global data transfer network. Data transfer plays a crucial role in trade negotiations, and India is currently exploring this aspect with key regions like the European Union.
The government believes that the new bill is vital for ensuring privacy-related matters remain future-proof in an era of rapidly evolving technology. The government asserts that the bill protects consumer rights to data privacy and maintains light and easily manageable obligations for data fiduciaries to avoid hindering innovation, the economy, and India’s position as a secure data processing destination. Minister of state for electronics and IT Rajeev Chandrasekhar says the goal is to align the legislation with the government’s objectives of effective data governance.