Draft Digital Personal Personal Data Protection bill approved by Cabinet
Asia News Agency
The cabinet last week approved the Digital Personal Personal Data Protection Bill, 2022.
The fresh draft was released following the withdrawal of an earlier version from Parliament last August after nearly four years in the works, where it went through multiple iterations, a review by a Joint Committee of Parliament (JCP), and pushback from a range of stakeholders including tech companies and privacy activists.
Overarching framework of technology regulations
The Digital Personal Data Protection Bill, 2022, is a crucial pillar of the overarching framework of technology regulations the Centre is building, which also includes the Digital India Bill — the proposed successor to the Information Technology Act, 2000, the draft Indian Telecommunication Bill, 2022, and a policy for non-personal data governance.
The proposed law will apply to processing of digital personal data within India; and to data processing outside the country if it is done for offering goods or services, or for profiling individuals in India.
It requires entities that collect personal data — called data fiduciaries — to maintain the accuracy of data, keep data secure, and delete data once their purpose has been met.
The Bill will play a crucial role in India’s trade negotiations: The Bill, once it becomes law, will play a crucial role in India’s trade negotiations with other nations, and especially regions like the European Union, whose General Data Protection Rules (GDPR) are among the world’s most exhaustive privacy laws.
Concerns: key changes and exemptions
One of the key changes to the final draft of the Bill is learnt to be in the way it deals with cross-border data flows to international jurisdictions – by moving away from a whitelisting approach, to a blacklisting mechanism.
However, the Bill, writes Soumyarendra Barik (Principal Correspondent with The Indian Express and reports on the intersection of technology, policy and society) “is learnt to have retained the contents of the original version of the legislation proposed last November, including those that were red flagged by privacy experts. Wide-ranging exemptions for the Central government and its agencies, remain unchanged. The Central government will have the right to exempt 'any instrumentality of the state’ from adverse consequences citing national security, relations with foreign governments, and maintenance of public order among other things.”
It was felt that the proposed new law could allow global data flows by default to all jurisdictions other than a specified negative list of countries where such transfers would be restricted – essentially an official blacklist of countries where transfers would be prohibited.
Transfer of personal data across jurisdictions: The draft, which was released for public consultation in November, said the Central government will notify countries or territories where personal data of Indian citizens can be transferred, that is, a whitelist of jurisdictions where data transfers would be allowed.
‘Deemed consent’: A provision on ‘deemed consent’ in the previous draft could be reworded to make it stricter for private entities while allowing government departments to assume consent while processing personal data on grounds of national security and public interest.
Voluntary undertaking: The Bill is expected to allow 'voluntary undertaking’ – meaning that entities that have violated provisions of law can bring it up with the Data Protection Board, which can decide to bar proceedings against the entity by accepting settlement fees. Repeat offences of the same nature could attract higher financial penalties.
The highest penalty that can be levied on an entity – in account of failing to prevent a data breach – has been prescribed to be Rs 250 crore per instance.
Digital by design: The implementation of the Bill will be ‘digital by design,’ insisting that ‘advanced' plans have been made by the government to that end. Consent requirements under the Bill could also force companies to change the way they serve up cookies on their websites, where they will have to seek specific consent on how the cookies might track a user’s activities on their site, the official said.
