The union cabinet is learnt to have cleared the Digital Personal Data Protection Bill. Sources aware of the development, said that it was cleared during the cabinet meeting, held earlier in the day. With the clearance given by the cabinet to the bill, it may now be introduced in the forthcoming monsoon session of Parliament.
As per the provisions of the bill, if one's personal data is misused, it will entail a fine of up to Rs 500 crore, sources said. The bill will have jurisdiction over the processing of digital personal data in India. This includes data collected online or offline and later digitised. The bill will also apply to the processing of data outside of India if it involves offering goods or services or profiling individuals in India.
Also, in order to ensure that provisions of the bill are enacted properly, a data protection board would be set up. It will hear grievances of the people and redress them. To ensure protection of one's data, if a user deletes one's social media account, then the company too will have to do the same. Also, the users will have the right to update or delete their personal data from social media platforms.
More significantly, any data considered harmful for children, would require parental consent. Social media companies would also have to ensure that children's data is not being tracked. Another provision included in the bill says that if a company requires biometric data of an employee for attendance purposes, then it will have to seek the employee's permission for it.
The bill also empowers users with the right to know which organisation wants to use his or her personal data. The controversial bill is the government's second attempt at preparing a framework for personal data protection.
The government had withdrawn the earlier version of the bill titled Personal Data Protection Bill 2019 in August last year, after a joint committee of Parliament had recommended 81 amendments and 12 recommendations towards a comprehensive legal framework on digital ecosystem.
While withdrawing the bill in Parliament, Information Technology Minister Ashwini Vaishnaw had said that the government has decided to come up with a fresh bill that fits into the comprehensive legal framework with reference to the suggestions made by the joint committee of Parliament on it.
Key highlights of DPDPB 2022
- The Bill will apply to the processing of digital personal data within India where such data is collected online, or collected offline and is digitised. It will also apply to such processing outside India, if it is for offering goods or services or profiling individuals in India.
- Personal data may be processed only for a lawful purpose for which an individual has given consent. Consent may be deemed in certain cases.
- Data fiduciaries will be obligated to maintain the accuracy of data, keep data secure, and delete data once its purpose has been met.
- The Bill grants certain rights to individuals including the right to obtain information, seek correction and erasure, and grievance redressal.
- The central government may exempt government agencies from the application of provisions of the Bill in the interest of specified grounds such as security of the state, public order, and prevention of offences.
- The central government will establish the Data Protection Board of India to adjudicate non-compliance with the provisions of the Bill.
- The Bill does not grant the right to data portability and the right to be forgotten to the data principal.
- The Bill requires all data fiduciaries to obtain verifiable consent from the legal guardian before processing the personal data of a child. To comply with this provision, every data fiduciary will have to verify the age of everyone signing up for its services. This may have adverse implications for anonymity in the digital space.
- The Bill accords differential treatment on consent and storage limitation to private and government entities performing the same commercial function such as providing banking or telecom services. This may violate the right to equality of the private sector providers.
- Exemptions to data processing by the State on grounds such as national security may lead to data collection, processing and retention beyond what is necessary. This may violate the fundamental right to privacy.