The government on Thursday tabled the Digital Personal Data Protection Bill 2023 in the Lok Sabha with an aim to protect the privacy of Indian citizens while proposing a penalty of up to Rs 250 crore on entities for misusing or failing to protect the digital data of individuals.
The bill which comes after six years of the Supreme Court declaring "Right to Privacy" as a fundamental right has provisions to curb the misuse of individuals' data by online platforms.
The judgement passed in August 2017 asked the government to examine and put in place a "robust regime" for data protection in the modern era.
While moving the bill, IT Minister Ashwini Vaishnaw rejected suggestions that it was a money bill. He said it was a "normal bill". Various opposition members opposed the bill at the introduction stage, questioning the measure.
Congress leader in Lok Sabha Adhir Ranjan Chowdhury and his party colleagues Manish Tewari and Shashi Tharoor said the issue of Right to Privacy was involved and the government should not rush with the bill.
The Digital Personal Data Protection Bill (DPDP) 2023 seeks to exempt the centre and entities notified by it in some special cases related to the interests of sovereignty and integrity of India, security of the State, friendly relations with foreign States, maintenance of public order or preventing incitement to any cognizable offence, court orders, research etc.
This provision is being interpreted by privacy advocates as the Bill granting wider exemptions to the government.
"The Digital Personal Data Protection Bill, 2023 a bill to provide for the processing of digital personal data in a manner that recognises both the right of individuals to protect their personal data and the need to process such personal data for lawful purposes and for matters connected therewith or incidental thereto," the DPDP Bill 2023 said.
The bill moots the creation of Data Protection Board of India to handle grievances of individuals around personal data privacy if data fiduciaries or firms using personal data fail to address individuals' complaints.
The bill proposes protection for the Centre, the board and its members, on "action taken in good faith".
Any person aggrieved by an order or direction made by the Board under the Digital Personal Data Protection Act, 2023 can appeal before the telecom tribunal TDSAT and thereafter before the apex court.
"An individual can appeal for compensation for damages caused due to breach of personal data before the civil court," a government source said.
Under the proposed bill, a maximum of Rs 250 crore and a minimum Rs 50 crore can be imposed on every instance an entity is found violating the norms proposed under the bill.
"If the board determines on conclusion of an inquiry that breach of the provisions of this Act or the rules made thereunder by a person is significant, it may, after giving the person an opportunity of being heard, impose such monetary penalty specified in the schedule," the bill said.
Provisions under the bill enable the Centre to block access to content in the interest of the general public on getting references in writing from the board.
Minister of State for Electronics and IT Rajeev Chandrasekhar said that the bill after it is passed by Parliament, will protect the rights of all citizens, allow the innovation economy to expand and permit the government's lawful and legitimate access to national security and emergencies like pandemics and earthquakes etc.
"It will take a lot of the concerns and a lot of misuse and exploitation that is done by many of these (online) platforms. Put a break on that once and for all. This is certainly legislation that will create deep lasting behavioural change and create high punitive consequences for any or all platforms that misuse or exploit personal data of any Indian citizen," Chandrasekhar said.
The bill proposes an exemption for the Centre or entities authorised by it in special cases from key compliances like giving notice to data principal (a person to whom data belongs) and sharing personal data with other entities without the need to inform data principal, provide information about summary of personal data processing.
Senior government sources said that even public entities can be held liable for violation if they process data or fail to protect data in all instances barring special exemptions provided under the bill.
"In case of public emergency, compliance of court order, criminal investigations etc the provisions of the bill will not apply but suppose data of individuals is shared by any public department to political parties or commercial gains etc then it can be held liable in the same manner as in case of violation by a private entity," a source said.
The bill proposes to tighten the noose on entities, especially online platforms like mobile apps, social media companies like Facebook, Twitter, and Telegram on the collection and processing of personal data of users be it within the country or overseas.
In a move to ease the burden of compliance on global entities, the bill neither has a provision that differentiates between sensitive and non-sensitive personal data nor does it restrict the processing of data overseas unless any restricted geography is notified under the proposed norms.
"The bill will not overwrite any sectoral laws, especially around data processing," a government source said.
The large online platforms will be required to appoint a Data Protection Officer who will act as point of contact for grievance and redressal mechanisms of their users. Large online entities will also need to appoint independent data auditors to carry out data audits, evaluate the compliance of the firms in accordance with the provisions of DPDP Bill 2023.
The bill proposes to exempt centres from appointing both Data Protection Officers and data auditors in special cases.
The provisions under the bill enable the centre to block access to content in the interest of the general public on getting reference in writing from the board. The bill has included a mechanism to process data of children defined as individuals below the age of 18 years.
In the case of children, entities will need to take the consent of the guardian. Under the proposed norms, the centre may notify the age above which the data fiduciary will be able to process data if it is done in a verifiably safe manner.