NEW DELHI: The Union cabinet on Wednesday cleared the proposed data protection law, likely to be introduced for discussion during the monsoon session of parliament, paving the way for the country’s first privacy law under which data fiduciaries, government and private, will have to issue a notice to the public declaring the data collected, stored and shared by them, officials familiar with the matter said.

The law, however, will not apply retrospectively to any information breach that occurred in the past. (File Photo)

{{^userSubscribed}} {{/userSubscribed}}

{{^userSubscribed}} {{/userSubscribed}}

“The law is universal and will apply to all data fiduciaries, government and private,” one official said on the condition of anonymity. “The people have a right to know what data has been collected, stored and shared.”

The law, however, will not apply retrospectively to any information breach that occurred in the past.

The proposed legislation proposes sweeping changes in the country’s data economy, and is likely to be introduced in the monsoon session of Parliament.

“It is a technology-agnostic law,” the official cited above said.

“Three legislations will shape the future of the data economy as it grows, the digital data protection bill, the telecom bill and the digital India bill. There will be a transition period to adapt to the new law to ensure there is no disruption in the working of businesses.”

{{^userSubscribed}} {{/userSubscribed}}

{{^userSubscribed}} {{/userSubscribed}}

The digital data protection bill proposes a stiff fine for an instance of data breach. “Depending on the severity of the breach, the government will determine the fine, which can go up to ₹500 crore with the approval of the union cabinet,” the official said. Any fine above this threshold will require parliament’s nod.

The bill has been drafted to stand the “test of time”, “be simple and contextual in its approach” and be implemented in a swift and efficient fashion.

HT reported on Monday that the bill will add penal provisions for entities that flout “voluntary undertaking” commitments.

“A data entity can admit that they have made a mistake and pay the fine, but that will not exempt them from legal action initiated by a data principal,” the official mentioned above said. “It is a mitigation measure.”

{{^userSubscribed}} {{/userSubscribed}}

{{^userSubscribed}} {{/userSubscribed}}

The proposed punishments are meant to give teeth to a provision in the bill that allows companies to proactively inform the future data protection board about privacy breaches and undertake remedial measures, which could otherwise help them avoid hefty fines.

The data protection law has been long overdue and the government has had to go back to the drawing board more than once after previous attempts were seen to have failed to strike a balance between privacy and ease of compliance

SHARE THIS ARTICLE ON