New Delhi: The union Cabinet, chaired by Prime Minister Narendra Modi, Wednesday approved the draft Digital Personal Data Protection (DPDP) Bill, 2023, and will now be tabled in the upcoming monsoon session of Parliament for approval, a senior government official told ThePrint.
The draft bill — put out in the public domain for consultations in November 2022 — proposes a hefty increase in penalty amount of up to Rs 500 crore for violating the provisions, while also easing rules on cross-border data flows, among other things.
The official from the Ministry of Electronics and Information Technology said that the government received about 21,666 comments on the draft bill and “each and everyone was considered and included in the final bill, wherever possible”.
Some minor changes have been introduced in the bill, added the official, however, he didn’t share the details.
“We consulted with about 48 organisations… we have drafted the bill in a manner that it stands the test of time even as the technology keeps changing,” the official said.
According to the draft, the Data Protection Board — a new regulatory body to be set up by the government — can impose a penalty of up to Rs 500 crore if non-compliance by a person is found to be significant.
The bill proposes six types of penalties for non-compliance, including up to Rs 250 crore for failure to take reasonable security safeguards, up to Rs 200 crore for failure to notify the Board and affected users in the event of a personal data breach, and up to Rs 200 crore for non-fulfilment of additional obligations related to children.
The draft does away with the clause for compensation to affected data principals and proposes to impose a penalty of Rs 10,000 on individuals providing unverifiable or false information while applying for any document, service, proof of identity or address, or registering a false or frivolous complaint with a data fiduciary (who collects and processes the data) or with the board.
The Bill defines a “Data Principal” as an “individual to whom the personal data relates and where such individual is a child includes the parents or lawful guardian of such a child”. Organisations such as banks will have to explicitly state the purpose of collecting data.
Replying to a query on removal of the compensation clause, the official said that the compensation for the affected will be decided by the judiciary.
“The affected party can take the data fiduciary to civil court for any breach or misuse of data,” the official said.
The draft bill will now be tabled in the Parliament, and will become an act once approved by the Parliament. The monsoon session of Parliament will be held from July 20 to August 11.
Also Read: Age clause in data protection bill — excessive control or keeping kids safe?
In the works for 6 years
The personal data protection bill has been in the works for about six years.
The first draft of the bill was presented by an expert panel headed by Justice B.N. Srikrishna in July 2018, after a year-long consultation process. The first draft was revised and a final bill was tabled in Parliament in December 2019.
However, it was soon referred to a joint parliamentary committee, which submitted its report in December 2021.
The ministry withdrew the bill from Parliament August last year and stated that a new one would be presented, which fit into the “comprehensive legal framework”. And the draft bill approved Wednesday by the Cabinet — which narrows down the scope of the data protection regime to personal data protection — was released in November 2022.
It also mandates the consent of the individual to be the basis for processing of their personal data, except in certain circumstances where seeking the consent of the data principal is “impracticable or inadvisable due to pressing concerns”
Data fiduciaries collecting personal data from individuals will need to provide “itemised notice” in clear and plain language containing a description of personal data sought and the purpose of processing of such personal data.
The draft bill also gives the power to the government to offer exemption from its provisions “in the interests of sovereignty and integrity of India” and to maintain public order. However, the official said that government entities have not been granted blanket exemption under the proposed law.
(Edited by Anumeha Saxena)
Also Read: New data bill carries one disappointment from previous versions—exempting govt agencies