Data bill eases transfer rules, raises penalties
Deeksha Bhardwaj and Binayak Dasgupta
NEW DELHI: The central government on Friday unveiled the Digital Data Protection Bill for public consultation, having redrawn a long-delayed law that will provide the legal framework for the fundamental right to privacy of Indian citizens with major implications for tech companies and digital businesses.
Now in its fourth iteration, the bill was shared by the Union ministry of electronics and technology and will likely be introduced in the upcoming winter session of parliament.
The key aspects of the bill include laying down certain conditions for how personal data — defined as “any data about an individual who is identifiable by or in relation to such data” — of Indian citizens will be handled, the obligations of those that collect it, and the powers of the government in accessing such information.
“The focus is on protecting internet users from all kinds of online harm, and create a safe and trusted digital ecosystem keeping in mind that India is a digital economy powerhouse today,” said the Union minister for technology, Ashwini Vaishnaw, while speaking to reporters in Delhi.
The minister added that the government has “made sure
Personal data can only be processed after specific, informed and unambiguous consent. Individuals whose data is stored will also have right to withdraw consent, be forgotten. Significant data fiduciaries will have to carry out audits, give a summary of what data is in use. Personal information of children can only be accessed after parents’ approval. that all principles of privacy” laid down by the Supreme Court and in other countries have been included, while also ensuring that the “start-up ecosystem and small businesses are not encumbered by a huge compliance burden”.
The bill retains some principles from the past version, which was withdrawn by the government in August after it was held up in discussions among parliamentarians who eventually issued a report with several dissenting. These include provisions that say that data must be processed after obtaining clear consent, the consent can be revoked, users have the right to be forgotten and those collecting the data will be liable for any breaches that expose the personal information of people in an unautho
The fine companies can attract for lack of breach
safeguards rised manner.
Vaishnaw pointed to the bills wording as a significant feature. “We have attempted in the philosophy of women’s empowerment that Prime Minister Narendra Modi ji’s government works to use the words she and her in the entire bill, instead of he, him and his. So this is an innovative thing which has been attempted in the bill,” the minister said.
The compliance of the law will be overseen by the Data Protection Board (DPB), which can levy up to ₹500 crore in fines against a data fiduciary – an entity that collects or processes data – that failed to take reasonable safeguards to prevent breaches of private information.
In the previous version, the fine was pegged at ₹15 crore of 4% of annual turnover.