New Delhi: The Digital Personal Data Protection (DPDP) Bill has been approved by the Union Cabinet. The approval clears the way for the Bill to be introduced in Parliament during the upcoming Monsoon Session, which begins on July 20.
The data protection legislation establishes standards for the management of personal data of Indian residents and requires explicit consent from those whose information is collected and used.
According to the official, over 20,000 comments on the draught bill were received, but they will not be made public. He also stated that there has been little difference between the draught that was circulated during public consultation and the final Bill that will be tabled in parliament. In response to Right to Information requests, the Union government has refused to provide copies of comments on the Bills from industry, civil society, and government bodies.
The Bill essentially allows ordinary people to complain to the Data Protection Board of India, which is made up of technical experts appointed by the government, if they have reason to believe that their personal data, such as cell phone numbers or Aadhaar numbers, has been used without their consent.
The DPDP Bill also specifies best practises for entities that collect personal data, how that data should be stored and processed to avoid breaches, and the rights of individuals whose data is being used. The Bill is based on an EU law, the General Data Protection Regulation, and lists 23 instances where consent for data recording is not possible.
The Bill includes a provision for entities to offer voluntary undertakings in order to avoid court litigation by admitting that a breach occurred and paying a penalty. The Data Protection Board of India, which would be established under the Act, would levy the fines. “In the event of a data breach, a penalty of Rs 500 crore would be imposed,” the official said.
According to the latest draught, courts and law enforcement agencies are exempt from key requirements because “personal data is processed in the interest of prevention, detection, investigation, or prosecution of any offence or contravention of any law” or “personal data is processed by any court, tribunal, or any other body in India is necessary for the performance of any judicial or quasi-judicial function.”
Concerns have been raised by right to information activists about an amendment to the RTI Act, 2005, included in the DPDP Bill that would prohibit government departments from sharing “personal information,” arguing that government departments may refuse to share information that could hold public officeholders accountable.
The Bill is the culmination of a process that began in 2017 with the K.S. Puttaswamy vs. Union of India decision, which declared that the right to privacy was a fundamental right as part of the right to life and liberty under Article 21 of the Constitution.