Data bill eases transfer rules, raises penalties

Updated on Nov 19, 2022 05:58 AM IST

The Centre on Friday unveiled the Digital Data Protection Bill for public consultation, having redrawn a long-delayed law that will provide the legal framework for the fundamental right to privacy of Indian citizens with major implications for tech companies and digital businesses.

Representational image(Shutterstock)
Representational image(Shutterstock)
ByDeeksha Bhardwaj and Binayak Dasgupta, New Delhi

The Centre on Friday unveiled the Digital Data Protection Bill for public consultation, having redrawn a long-delayed law that will provide the legal framework for the fundamental right to privacy of Indian citizens with major implications for tech companies and digital businesses.

Now in its fourth iteration, the bill was shared by the Union ministry of electronics and technology and will likely be introduced in the upcoming winter session of parliament.

The key aspects of the bill include laying down certain conditions for how personal data – defined as “any data about an individual who is identifiable by or in relation to such data” – of Indian citizens will be handled, the obligations of those that collect it, and the powers of the government in accessing such information.

“The focus is on protecting internet users from all kinds of online harm, and create a safe and trusted digital ecosystem keeping in mind that India is a digital economy powerhouse today,” said the Union minister for technology, Ashwini Vaishnaw, while speaking to reporters in Delhi.

The minister added that the government has “made sure that all principles of privacy” laid down by the Supreme Court and in other countries have been included, while also ensuring that the “start-up ecosystem and small businesses are not encumbered by a huge compliance burden”.

The bill retains some principles from the past version, which was withdrawn by the government in August after it was held up in discussions among parliamentarians who eventually issued a report with several dissenting. These include provisions that say that data must be processed after obtaining clear consent, the consent can be revoked, users have the right to be forgotten and those collecting the data will be liable for any breaches that expose the personal information of people in an unauthorised manner.

Vaishnaw pointed to the bills wording as a significant feature. “We have attempted in the philosophy of women’s empowerment that Prime Minister Narendra Modi ji’s government works to use the words she and her in the entire bill, instead of he, him and his. So this is an innovative thing which has been attempted in the bill,” the minister said.

The compliance of the law will be overseen by the Data Protection Board (DPB), which can levy up to 500 crore in fines against a data fiduciary – an entity that collects or processes data – that failed to take reasonable safeguards to prevent breaches of private information. In the previous version, the fine was pegged at 15 crore of 4% of annual turnover.

Among the key new provisions for data fiduciaries are that they will need to appoint a data protection officer, carry out regular audits (if they are classified as a significant data fiduciary) and remove the private information as soon as the business purpose to do so is over.

For the industry, which resisted data localisation rules in the previous proposals, the new draft now says the government could specify countries to which entities managing data can transfer personal data of users.

Sections relating to the prerogatives of the government and a concept included as “deemed consent” are likely to generate debate, though. The bill, like past versions that triggered a controversy , retains exemptions (under section 18) that allow the government to process personal data without consent for purposes such as “maintenance of public order” and “preventing incitement to any cognizable offence”.

It also proposes to exempt the government from having to remove personal data when its purpose is fulfilled and gives the government the power to exempt “any instrumentality of the state in the interests of sovereignty…, security…, friendly relations with foreign states, maintenance of public order” from the safeguards of the law via notification in the future.

Experts said such provisions were unconstitutional. “Earlier, according to the 2018 draft, to grant an exemption, the government needed the approval of the Parliament,” said Supreme Court lawyer and founder of Cybersaathi, NS Nappinai. “Now they are proposing that exemptions can be introduced in by order of the central government. That is unconstitutional and will not stand the test of judicial review.”

A second expert flagged the constitution of the DPB, which they said had less autonomy. “The biggest problem with the Bill, even earlier was the autonomy of the data protection authority,” said justice (retired) BN Srikrishna, who led the effort to draw up the first version of the bill. “This makes it even worse because the board is completely at the whim of the central government, it is not even defined who can be a part of it.”

The proposal suggests the DPB’s members, including its chief executive, be appointed by the central government. “The central government itself will likely be the largest litigant in terms of the data it collects so in that sense, the DPB will not truly be independent,” said Raman Jit Singh Chima, Asia Pacific Policy director at Access Now.

But many of the other provisions will help the technology industry, two experts said.

“This Bill is certainly a step in the right direction of striking a balance between supporting innovation and protecting user rights. In particular we note that many obligations applicable to data fiduciaries and processors and mechanisms relating to data processing have been simplified, which will likely enable easier compliance,” Shahana Chatterji, partner, Shardul Amarchand Mangaldas & Co.

“That said, a significant portion of the rulemaking is likely to occur through rules and guidelines to be issued under the proposed law. We look forward to working with the government in developing these rules and the emerging data protection framework in India and supporting its aim of a $1 trillion digital economy,” Chatterji added.

“One of the most discussed aspects in any such regulation is data localisation. The Bill offers a relatively soft stand on data localisation requirements and permits data transfer to select global destinations basis some predefined assessments. This is likely to foster country-to-country trade agreements, make it relatively easier for global enterprises to operate and process data with their current set-up rather than mandatorily developing large infrastructure in India for storing and processing of personal data,” said Manish Sehgal, partner at Deloitte India.

The Bill, Sehgal said, “aligns to nations’ digital spree” and its title “itself signifies the intent to continue pushing the digitisation agenda thereby offering a legal framework to govern collection, usage, processing, and storage of digital personal data”.

“However, the Bill’s exemptions for Central and State agencies, along with exclusion of personal data stored and or processed in non-digital (original / handwritten / paper) format may be a gap to protect personal data and ensure privacy in entirety,” Sehgal added.

“It’s interesting to note that the bill has also proposed a penalty of 10,000 for non-compliance of duties expected of a Data Principal, which isn’t a common trend. However, this is likely to promote authenticity in data principal requests and limit non-legitimate requests.”

Get Latest India Newsalong with Latest Newsand Top Headlinesfrom India and around the world.
Story Saved
Saved Articles
My Reads
My Offers
Sign out
New Delhi 0C
Wednesday, February 01, 2023
Start 15 Days Free Trial Subscribe Now
Register Free and get Exciting Deals