DATA BILL...
down by the Supreme Court and in other countries have been included, while also ensuring that the “start-up ecosystem and small businesses are not encumbered by a huge compliance burden”.
The bill retains some principles from the past version, which was withdrawn by the government in August after it was held up in discussions among parliamentarians who eventually issued a report with several dissenting. These include provisions that say that data must be processed after obtaining clear consent, the consent can be revoked, users have the right to be forgotten and those collecting the data will be liable for any breaches that expose the personal information of people in an unauthorised manner.
Vaishnaw pointed to the bills wording as a significant feature. “We have attempted in the philosophy of women’s empowerment that Prime Minister Narendra Modi ji’s government works to use the words she and her in the entire bill, instead of he, him and his. So this is an innovative thing which has been attempted in the bill,” the minister said.
The compliance of the law will be overseen by the Data Protection Board (DPB), which can levy up to ₹500 crore in fines against a data fiduciary – an entity that collects or processes data – that failed to take reasonable safeguards to prevent breaches of private information. In the previous version, the fine was pegged at ₹15 crore of 4% of annual turnover. Among the key new provisions for data fiduciaries are that they will need to appoint a data protection officer, carry out regular audits (if they are classified as a significant data fiduciary) and remove the private information as soon as the business purpose to do so is over. For the industry, which resisted data localisation rules in the previous proposals, the new draft now says the government could specify countries to which entities managing data can transfer personal data of users.
Sections relating to the prerogatives of the government and a concept included as “deemed consent” are likely to generate debate, though. The bill, like past versions that triggered a controversy , retains exemptions (under section 18) that allow the government to process personal data without consent for purposes such as “maintenance of public order” and “preventing incitement to any cognizable offence”.
It also proposes to exempt the government from having to remove personal data when its purpose is fulfilled and gives the government the power to exempt “any instrumentality of the state in the interests of sovereignty…, security…, friendly relations with foreign states, maintenance of public order” from the safeguards of the law via notification in the future. Experts said such provisions were unconstitutional. “Earlier, according to the 2018 draft, to grant an exemption, the government needed the approval of the Parliament,” said Supreme Court lawyer and founder of Cybersaathi, NS Nappinai. “Now they are proposing that exemptions can be introduced in by order of the central government. That is unconstitutional and will not stand the test of judicial review.”
A second expert flagged the constitution of the DPB, which they said had less autonomy. “The biggest problem with the Bill, even earlier was the autonomy of the data protection authority,” said justice (retired) BN Srikrishna, who led the effort to draw up the first version of the bill. “This makes it even worse because the board is completely at the whim of the central government, it is not even defined who can be a part of it.” The proposal suggests the DPB’s members, including its chief executive, be appointed by the central government. “The central government itself will likely be the largest litigant in terms of the data it collects so in that sense, the DPB will not truly be independent,” said Raman Jit Singh Chima, Asia Pacific Policy director at Access Now.
But many of the other provisions will help the technology industry, two experts said.
“This Bill is certainly a step in the right direction of striking a balance between supporting innovation and protecting user rights. In particular we note that many obligations applicable to data fiduciaries and processors and mechanisms relating to data processing have been simplified, which will likely enable easier compliance,” Shahana Chatterji, partner, Shardul Amarchand Mangaldas & Co.
“That said, a significant portion of the rulemaking is likely to occur through rules and guidelines to be issued under the proposed law. We look forward to working with the government in developing these rules and the emerging data protection framework in India and supporting its aim of a $1 trillion digital economy,” Chatterji added. “One of the most discussed aspects in any such regulation is data localisation. The Bill offers a relatively soft stand on data localisation requirements and permits data transfer to select global destinations basis some predefined assessments. This is likely to foster country-to-country trade agreements, make it relatively easier for global enterprises to operate and process data with their current set-up rather than mandatorily developing large infrastructure in India for storing and processing of personal data,” said Manish Sehgal, partner at Deloitte India.
The Bill, Sehgal said, “aligns to nations’ digital spree” and its title “itself signifies the intent to continue pushing the digitisation agenda thereby offering a legal framework to govern collection,