Cabinet clears fifth draft of privacy law
The proposed legislation will seek sweeping changes in the country’s data economy, and is likely to be introduced in the monsoon session of Parliament
The Union Cabinet on Wednesday cleared the digital data protection bill to be introduced in Parliament, with officials saying data fiduciaries — government and private — will have to issue a notice to the public declaring data they have collected, stored and shared by them when it comes into force, officials familiar with the matter said.
Wednesday’s decision is only the latest in a long-drawn process to give a legal framework to data privacy of Indian citizens, with the first draft of the law being presented by a special commission close to six years ago before being sent back for painstaking deliberations as the stakeholders sought a balance between ease of compliance and privacy protections.
“The law is universal and will apply to all data fiduciaries, government and private,” one of the officials, referring to the mandatory initial disclosure data fiduciaries will need to make on the information they already have of people. “The people have a right to know what data has been collected, stored and shared,” this person said, asking not to be named.
The law itself will not apply retrospectively to any breaches that have occurred in the past, this person said.
The proposed legislation will seek sweeping changes in the country’s data economy, and is likely to be introduced in the monsoon session of Parliament. “It is a technology-agnostic law,” the official said. “Three legislations will shape the future of the data economy as it grows: the digital data protection bill, the telecom bill and the Digital India bill. There will be a transition period to adapt to the new law to ensure there is no disruption in the working of businesses.”
The law proposes a fine of up to ₹250 crore on any entity that processes personal data and failed to safeguard, and how this penalty is applied will be determined on a case-to-case basis. “Depending on the severity of the breach, the government will determine the fine, which can go up to ₹500 crore with the approval of the Union Cabinet,” the official said.
Any fine above that threshold will require the nod of the Parliament, this person added.
The bill has been drafted to stand the “test of time”, “be simple and contextual in its approach”, and be implemented in a swift and efficient fashion.
The government released a version of this law for public feedback in November, 2022, and there is no clarity yet on what changes have since been made to it. That draft, the fourth iteration since its inception, involved sweeping changes from its previous version.
At the time, Union minister for technology, Ashwini Vaishnaw, said the focus of the law was to protect “internet users from all kinds of online harm” as well as to “create a safe and trusted digital ecosystem”.
The challenge to strike such a balance — between making the law watertight and too cumbersome to comply with -— is indeed tricky, especially since the nature of technology and its acceptable uses are ever-evolving notions. But the last-known version of the law appeared to tilt too far away from privacy protections with clauses that allowed for consent to be deemed for a wide variety of purposes and leaving many crucial aspects to be decided by the executive later. These must be addressed.
The key aspects of the bill include laying down certain conditions for how personal data — defined as “any data about an individual who is identifiable by or in relation to such data” — of Indian citizens will be handled, the obligations of those that collect it, and the powers of the government in accessing such information.
Among the core pillars of the draft — which is unlikely to be changed — was to create a Data Protection Board (DPB), which can levy fines against a data fiduciary that failed to take reasonable safeguards to prevent breaches of private information.
It also proposes that data fiduciaries will need to appoint a data protection officer, carry out regular audits and remove the private information as soon as the business purpose to do so is over.
HT reported on Monday that the bill will add penal provisions for entities that flout “voluntary undertaking” commitments, a process by which they can work with the Board to mitigate any breach without being prosecuted under provisions of the law. “A data entity can admit that they have made a mistake and pay the fine, but that will not exempt them from legal action initiated by a data principal,” the official mentioned above said. “It is a mitigation measure.”
Activists and experts at the time raised certain concerns with the provisions, while many in the industry said it eased requirements that could have scuttled innovation.
Among the criticised provisions is one on deemed consent, which the official quoted above said was not a new practice.
The official mentioned above said that deemed consent will apply in “specific cases”, and for “legitimate purposes”, during times, such as health emergencies, where consent cannot be obtained immediately.