India on Thursday moved a step closer to creating a legislation governing data privacy and protection.
The Digital Personal Data Protection Bill, 2023, which aims to give Indians tighter control over the use of personal information by entities, was presented in parliament for a second time.
An earlier version of the legislation, which took five years to be drafted, was withdrawn a year ago following opposition from businesses, civil society, and the government’s own expert committee.
The new bill prescribes stringent rules on data sharing, processing, and storage while stipulating penalties of about $30 million (₹250 crore) for data breaches, which can go up to $60 million.
Once the legislation comes into force, fiduciaries – entities or individuals entrusted with the responsibility of managing and safeguarding personal data on behalf of others – can process and use the personal data of individuals only after obtaining their consent. Entities dealing with user data should also safeguard the data even if it is stored with a third-party data processor.
“Many platforms, businesses, and fiduciaries have been collecting personal data of individual citizens and exploiting data for business models, and algorithms without the agreement of the person whose data it is. The bill intends to address this issue,” minister of state for electronics and information technology Rajeev Chandrasekhar said in a social media video message.
“It aims to protect citizens’ rights, create a compliance-friendly regime for startups and the digital economy, and to define the clearly emergent situations under which the government has access to the personal data of citizens during law and order, national security and other situations,” he added.
A data protection law has been in the works since 2017 after India’s Supreme Court ruled that privacy is the fundamental right of citizens and told the government to pass legislation to protect this right.
Under the fresh legislation, a new Data Protection Board of India (DPBI) will be set up to inquire and impose penalties in cases of data breach.
DPBI can slap penalties if fiduciaries fail to notify a data breach and violate regulations on processing data of children. The bill also restricts behavioral tracking of children and bombarding them with targeted advertising using their data.
Under the draft rules, data of differently abled people with guardians and children can be processed only after getting the guardian’s consent.
The bill, which covers personal, sensitive, and critical data, makes it mandatory for entities to appoint data protection officers.
The draft law will also not override the Reserve Bank of India’s and the Securities and Exchange Board of India’s data localization mandates that require foreign payment companies to store their data locally in India.
The opposition parties, meanwhile, have raised objections as the new legislation points to certain scenarios in which the protection to citizens will not be applicable.
Manish Tewari, a member of the Indian National Congress, said in Parliament that the legislation “cleaves the entire digital universe into two parts, with the law applying with full force to all non-governmental organizations while the entire government will be exempted from it.”
Minister of state Chandrasekhar said in his video message that the exemptions have been laid out only in cases of national security and where law and order is concerned.
The bill is expected to be taken up for discussion in Parliament on Monday, with the government hoping to pass it in the current session. The monsoon session of Parliament ends on August 11.
Loading the player...
Sonia Carpentier, Piaget’s Brand Director, on how she landed her dream job