Rajeev Chandrasekhar, MoS electronics and information technology (HT_PRINT)

Landmark data bill reaches Parliament

admin August 3, 2023 App New Leave a comment 53 Views

Advertisement!!

Premium
This new Bill, after it is passed by Parliament, will protect rights of all citizens, allow innovation economy to expand and permit government’s lawful and legitimate access in national security

New Delhi: Gulveen Aulakh & Shouvik Das

Advertisement!

New Delhi

The central government on Thursday presented the Digital Personal Data Protection (DPDP) Bill in Lok Sabha, its second attempt to create legislation governing data privacy and protection in the country.

“This new bill, after it is passed by Parliament, will protect the rights of all citizens, allow innovation economy to expand, and permit the government’s lawful and legitimate access in national security and emergencies like pandemics and earthquakes,” said Rajeev Chandrasekhar, minister of state for electronics and information technology.

“The DPDP bill is a global standard—contemporary, future-ready, yet, simple and easy to understand,” he said, adding that the bill was drafted after exhaustive consultations with a multitude of stakeholders.

The bill envisages penalties of up to ₹250 crore per instance in the case of a data breach, lower than the ₹500 crore penalty that was proposed in the earlier draft issued in November last year.

A senior official said that the penalty will depend on the number of instances and hence can be multiplied by that many instances.

It further adds that the Centre will decide which companies will be deemed as “significant data fiduciaries” based on multiple factors, such as its “risk to the rights of the data principal (users)”, “potential impact on the sovereignty and integrity of India”, “risk to electoral democracy”, “security of the State”, and more.

A government official said on condition of anonymity that Section 10 of the bill, which mandates a significant fiduciary to have a local office and a data protection officer (DPO), was inserted “to make privacy provisions much stronger.”

The bill’s Section 37 will further enable the government to block a company, or impose financial penalties, in case of violations. “If any fiduciary does not stop violating the rules after two instances or being penalized twice, the government can ban or block the platform. This is critical for the protection of the users and to control large companies with deep pockets,” the official added.

He further said that the data fiduciaries “will have to make stronger agreements with their partners or contractors because, in case of breach of data between a fiduciary and a data principal, the liability will lie with the fiduciary.”

The Union cabinet approved the bill last month, which included several changes, including one clause which allows the government to direct any government agency, an intermediary or platform to block or ban any information in the interest of the general public, and after giving an opportunity of being heard to that ‘data fiduciary’, or the company that is in possession of a person’s data, and is processing the same.

“Every intermediary who receives a direction issued under sub-section (7) shall be bound to comply with the same,” the bill states.

Legal specialists and observers said that the bill’s scope has been expanded to include semi-automated and mechanical digital data processing. Under general obligation, the terminology and scope of deemed consent have been changed to “legitimate usage”, which experts said has broadened the scope under which consent to data processing is undertaken.

Baca Juga : Telegram menghadirkan pembaruan baru: Tidak diperlukan nomor telepon untuk mendaftar, lebih banyak fitur

The official added that the significant data fiduciary will be determined by the impact that entity has on user data, rather than the scale of the entity.

The new bill, in a significant departure from the previous version of the draft released on 18 November 2022, introduces a provision that grants the government the authority to set a lower age for children for the purposes of the bill, which is currently set at 18 years. This lowering of age would be applicable only to those processing activities of businesses which are deemed verifiably safe by the Indian government, legal experts said.

“A certain class of data fiduciaries or specific functions can be exempted from the additional obligations of processing children’s data, while the provisions are also extended to disabled persons who may or may not be a ‘child’. The open-ended determining factor for classifying an entity as significant data fiduciary has been removed; however, there is less clarity regarding the threshold, and clauses have been added where the government may prescribe more obligations in future,” said Kazim Rizvi, founder-director of policy think-tank, The Dialogue.

The provision of a negative list approach for the cross-border transfer of personal data instead of a white list represents a significant shift in strategy. Based on this approach, the Indian government will have the ability to regulate and limit the transfer of personal data across borders based on specific criteria set by the Indian government.

“DPDP will not override any law that provides for a higher degree of protection for or restriction on transfer of personal data by an entity,” the official added.

“The approach adopted by the Indian government in determining the criteria for the negative list and maintaining harmony between sectoral laws and the bill will be crucial,” said Supratim Chakraborty, partner at Khaitan & Co.

The bill also mandates that consent for the collection of personal data must meet specific criteria, including being specific, informed, unconditional, unambiguous, and limited to the extent necessary for the specified purpose. Further, the bill provides that even where consent is obtained for a specified purpose, the consent will only be valid where the processing of personal data is necessary for such a specified purpose.

This provision has significant implications for businesses as they will now be required to obtain consent for purposes which are necessary for which it is being collected, Chakraborty added.

Cyril Shroff, managing partner at law firm Cyril Amarchand Mangaldas, said that this clause will cause businesses “to rethink how they treat user data.”

“From the current approach of ‘more data is good’, businesses will need to see themselves as fiduciaries for data, and be mindful about how much they collect, what they use it for, and how (and for how long) they keep data,” Shroff added.

Others, however, raised contrarian voices on the bill. Akash Karmakar, partner at law firm Panag & Babu, noted that the bill contains multiple ambiguities and missed opportunities.

“Big tech companies in India will find conspicuous by its absence any specific acknowledgement in the law that anonymized or de-identified data would remain outside the scope of the bill,” Karmakar said, suggesting that the handling of de-identified personal user data represents a clear gap that the DPDP bill does not address.

Baca Juga : Explainer: Memahami 'tiket' untuk Utas di Instagram

He further added that provisions on the Centre’s powers “to direct any intermediary to furnish such information lack proportionate safeguards in terms of the circumstances under which such a direction or blocking of access is issued.” The bill, Karmakar added, also does not provide tech intermediaries with “any review mechanism or appeal process.”

A senior legal consultant who worked on multiple drafts of the bill added that there could be multiple debates around the “broad-brush exemptions that have been afforded to the government, which, in turn, will bring up the need for future amendments.” Another policy consultant for a leading think-tank concurred, adding that the bill “lacks adequate legal provisions to add checks and balances to the government’s ability to direct retention and access of personal user data.”

Mishi Choudhary, legal director at US-based Software Freedom Law Center, said that another issue with the bill is the deletion of Section 43A of the Information Technology Act, 2000, without offering a substitute to it, as “the bill does not provide for compensation to be granted for data principals whose privacy has been violated and has suffered a loss.”

A senior official however said that users would still be able to seek compensation through the regular legal procedure, or filing a case against the fiduciary.

She further added, “A problematic provision is a clause added in the bill for blocking a computer resource which could be used for blocking websites and applications.” The new bill proposes a tiered grievance redressal mechanism for individuals who will have the option to approach the Data Protection Board of India only after they have exhausted the grievance redressal process enabled by an entity.

The official said that the government expects about 90% of the grievances to be resolved at the levels below TDSAT, and hence will not be a burden on capacities.

ABOUT THE AUTHOR

Gulveen Aulakh

Gulveen Aulakh is Senior Assistant Editor at Mint, serving dual roles covering the disinvestment landscape out of New Delhi, and the telecom & IT sectors as part of the corporate bureau. She had been tracking several government ministries for the last ten years in her previous stint at The Economic Times. An IIM Calcutta alumnus, Gulveen is fluent in French, a keen learner of new languages and avid foodie.