The Union Cabinet on Wednesday approved the Digital Personal Data Protection Bill that will be taken to Parliament in the upcoming Monsoon Session to be passed as a law. Once passed, the law will be India’s first on data privacy and data protection.
People aware of the details said that the Bill entails penalising private as well as the government entities ₹250 crore per instance in case of a data breach, which can be raised to ₹500 crore by the Data Protection Board that will be constituted as the appellate body under the law. The penalties will be decided on a case-to-case basis, depending on the severity, extent of harm or loss, the scale and number of people impacted by the breach, and the clauses that have been specified in the Bill.
“The Board will comprise mainly of professionals, as many as possible. It will be an independent body, its powers will be specified in the law. It will recommend the penalties which can go up to ₹250 crore. If it recommends above that level up to ₹500 crore, Cabinet has to be apprised and it has to be presented in Parliament, but for anything beyond ₹500 crore, the law will have to be amended. It will not be an arithmetic calculation and this is a field which is rapidly evolving,” one of the people said requesting anonymity.
The government intends to have a simple rule book for implementation of the law for easier and faster compliance, and hence has kept a short time frame for the rules and regulations to be executed. “Plans have been made in advance on how it will be rolled out, it will be digital by design,” the person added.
The Bill will also have special circumstances — such as pandemic, law enforcement, protection of IP rights within employment, golden hour for medical treatment, natural disasters et al — under which deemed consent will not be sought from users by government agencies. But in other cases, consent will be required by apps and platforms, which will be explicit and elaborated in clear languages. “Blanket consent will not be permitted, apps will have to make some changes,” the person added.
Individuals will have the right to seek details about their data collection, storage and processing once the law is implemented. “Citizens will have the right to claim compensation by approaching civil court. There are a lot of things that will evolve gradually,” he said.
The person added that government entities have not been granted blanket exemption under the proposed law, and well thought out carve outs have been made for collection, storage and processing of data, since the government was an important fiduciary of data.
One of the people said that the Bill was discussed exhaustively since it was first introduced in November 2022, with over 21,666 suggestions from across stakeholders reviewed by the government. The Bill once tabled in the Parliament may not be reviewed by a joint committee of the House, the person said, noting that recommendations made by the joint committee on the previous version of the Bill — which was ultimately withdrawn — had been incorporated in the new Bill.
Noting that only a few changes had been made to the Bill cleared by the Cabinet and the draft issued last year, people said that the Bill allows for multinational companies to store user data overseas thus not restricting cross-border data transfer. “We’re getting a lot of data from various parts of the world, our IT industry is the biggest processors of all kinds of data, therefore it’s important that we create a structure by which this kind of data economy does not get disrupted,” another person familiar with the development told Tech Circle.
“Even though overarching changes aren’t expected in the DPDP Bill approved by the Cabinet today, there were discussions around whitelisting, as well as blacklisting of jurisdictions — the final version of the regulation may see alterations there. The adjudicatory mechanism may see refinements as well,” a senior policy consultant to Centre said, asking not to be named.
We can expect some tightening in leeways being offered to government bodies and agencies, because if there are avenues that could be prone to a writ petition as soon as the law is passed, it could be a dampener for the government. There have been closed-door meetings held to address such issues, the consultant added.
The Bill will also specify the responsibilities of an organisation or an app that collects, stores, processes and secures the data of people and also the rights of users that provide the data.
The Bill also provides for an alternate dispute resolution mechanism as a platform for issues outside the judicial system and hence would lead to reduced litigation. Voluntary undertaking has been provided for entities to own up their violations of law by paying up penalties or fines, followed by implementation of mitigation measures. However, the entities will not be absolved completely and will be liable to investigations by the Data Protection Board.
To safeguard children, the Bill has proposed a penalty of ₹200 crore on an entity that does not take parental consent for processing data of a child, processes data that may harm a child, tracks or enables behaviour monitoring of children or undertakes targeted advertising directed at children.
The draft Bill issued in November had specified penalty of ₹150 crore will be levied if a significant data fiduciary, which has been notified by the government, does not appoint a data protection officer and independent data auditor and fails to undertake data protection impact assessments and periodic audits.
The significant data fiduciary will be determined based on the volume and sensitivity of the personal data processed, risk of harm to users or electoral democracy, and potential impact on India’s sovereignty, security and public order.
Experts said that the Act may also bring about changes to Cert-In’s role — in terms of how personal data protection is handled. After the DPDP’s enforcement as an Act, a lot of people from under Indian Computer Emergency Response Team (CERT-In) are likely to get moved to apply the DPDP legislations — they’ve gained good knowledge over time, and have expertise to handle data-related issues.
Supratim Chakraborty, partner, corporate and commercial practice, Khaitan & Co, said, “The DPDP Bill has been debated for a while — it can come into effect as a standalone legislation now, like any other data protection law internationally. What we’re therefore looking at is a super-structure of sorts — perhaps with the Digital India Act, or even before it comes into existence. This super-structure of regulations could have the DPDP Act as an important pillar, which with other Acts could form India’s digital legal ecosystem.”
“Once the IT Act is replaced with the DIA, the DPDP Act will have to continue to exist independently, and not be amalgamated with other upcoming regulations. The IT Act has provisions pertaining to personal data, which will have to go away when DPDP Bill is promulgated as a law so that there is no duplication,” he added.