Parliament on Wednesday approved the Digital Personal Data Protection Bill that introduces several compliance requirements for the collection and processing of personal data and provisions for up to Rs 250 crore penalty for any data breach.
The government expects to implement Digital Personal Data Protection Act 2023 within 10 months. The Lok Sabha approved the Bill on August 7, and with the Rajya Sabha giving its consent on Wednesday, the parliamentary approval process is complete. The Bill will now go to the President for assent, after which it will become law. Moving the bill for consideration and passage in the Upper House of Parliament, Union IT Minister Ashwini Vaishnaw said, “It would have been good, had the opposition discussed the bill today (in the House). But no opposition leader or member is concerned over the rights of the citizens”.
The Bill provides for how companies should process users’ data. It allows companies to transfer users’ data abroad and gives the government power to seek information from firms and issue directions to block content on the advice of a data protection board appointed by the Union government. “We have started work on implementation. This kind of legislation will require a 6-10 month kind of frame. We will take every step with proper checks and balances. It is a guesstimate. We might do it faster than that,” Vaishnaw told reporters. The government has been in the process of introducing a standalone data protection legislation since 2018.
The Bill applies to the processing of digital personal data in India, where the personal data is either collected in digital form or in a non-digitised format and subsequently digitised. The bill defines ‘personal data’ broadly to include any data about an individual who is identifiable or in relation to such data. ‘Digital personal data’ is defined to mean personal data in digital form. While the Bill gives the government powers to exempt state agencies from the law, it allows users the right to correct their personal data. The Bill has, however, been criticised by some. Digital rights advocacy group The Internet Freedom Foundation pointed out that the law does not contain any meaningful safeguards against “over-broad surveillance”, while the Editors Guild of India has said it affects press freedom and dilutes the Right to Information law.
AIADMK M Thambidurai had raised the issue of the medical data of politicians getting reported in the media and it should be protected as personal data. Vaishnaw said the DPDP 2023 will not overwrite sectoral rules and rules for media will be as per existing related laws. “However, the healthcare department should not leak someone’s personal data without proper consent,” he said. All in all, the Digital Personal Data Protection Bill or Data Protection Bill in short, provides for the processing of digital personal data recognising the rights of individuals to safeguard their information and the need to process personal data for lawful purposes.
It defines personal data breach as unauthorised processing of personal data or accidental disclosure, acquisition, sharing, use, destruction of or loss of access to personal data, that compromises the confidentiality, integrity or availability of personal data. It classifies the data ecosystem into Data Fiduciaries (who determines the purpose and means of processing personal data) and Data Principal (individual to whom the personal data belongs), laying down obligations and dos and dont’s for the former and specifying the rights and duties of the latter. The minister said an independent Data Protection Board (DPB) will be created, which is “digital by design”, and will provide similar access to justice to people across the country in the same way as privileged people in cities like Delhi and Mumbai.
Vaishnaw said that the subject of Data privacy comes under centre and bills will evolve over a period of time. When asked if there will be a state-level DPB, the minister said that bodies like DPB are created at the Union level to check misuse of jurisdiction by rule violators. Personal data can be processed only for a lawful purpose for which an individual has given consent and for certain legitimate uses. Referring to certain principles on which the bill is based, Vaishnaw said that according to the principle of legality, the data of a person has to be taken based on prevailing laws and cannot be used for the purpose beyond which it has been collected. The motion to send the bill to the select committee of Parliament by Rajya Sabha members John Brittas and V Sivadasan was not moved due to their absence in the house when the bill was put for a vote.
While the Bill was passed amid a walkout by the opposition members, Vaishnaw said that he has individually discussed the Bill with very vocal leaders in the opposition, and they have appreciated the bill. He, however, slammed the opposition for not participating in the discussion over the bill. “Opposition has no interest in the rights of 140 crore people. They should have also participated and joined everyone in passing the bill,” Vaishnaw said. Shardul Amarchand Mangaldas and Co-Partner Hemant Krishna feels the implementation of the DPDP will give control to citizens and businesses over collecting and processing data. “With the strides made by AI, personal data can be processed with unprecedented velocity and sophistication. Ironically, despite the volume and variety of personal data in India, due to the absence of a proper privacy framework, citizens have not had sufficient control over their data and businesses have struggled to find legitimate ways to collect and process personal data. That is all set to change when the DPDP Bill becomes law.”