Trending:

What is the Data Protection Bill cleared by the Union Cabinet?

FP Explainers July 6, 2023, 14:08:55 IST

The Digital Personal Data Protection (DPDP) Bill concerns itself with the online personal data of users or ‘Data Principals’. After being approved by the Cabinet, the proposed draft is now likely to be tabled in Parliament in the upcoming Monsoon Session

Advertisement
What is the Data Protection Bill cleared by the Union Cabinet?

The Union Cabinet has approved the draft Digital Personal Data Protection (DPDP) Bill, which is now expected to be tabled in the upcoming Monsoon Session of Parliament, as per multiple reports. The Monsoon Session is slated to begin on 20 July and conclude by 11 August. The development comes after the Ministry of Electronics and Information Technology (MeitY) invited feedback and recommendations from the public on the bill last November. A senior government official told ThePrint that the Centre received over 20,000 comments on the draft bill and “each and everyone was considered and included in the final bill, wherever possible”. This is the second attempt by the Centre to introduce legislation on personal data protection, six years after the Supreme Court held privacy to be a fundamental right of every Indian citizen. What is the DPDP Bill and what are the concerns about it? Let’s take a closer look. What is Data Protection Bill? The proposed Digital Personal Data Protection Bill concerns itself with the online personal data of a user or ‘Data Principal’. The users have to give their consent to ‘Data Fiduciary’ – individual, company, firm, state, etc. – to process their personal data, as per the draft released in November 2022. It further states that “every individual should know what items of personal data a Data Fiduciary wants to collect and the purpose of such collection and further processing.” However, an exemption to this rule is when seeking the user’s consent is “impracticable or inadvisable due to pressing concerns”. [caption id=“attachment_12834102” align=“alignnone” width=“640”]Digital Personal Data Protection (DPDP) Bill The DPDP Bill concerns itself with the online personal data of a user or ‘Data Principal’. Pixabay (Representational Image)[/caption] The draft bill also empowers the Central government to set up the Data Protection Board of India, a regulatory body to oversee compliance with the law. The government can appoint the chairperson and members of this Board. The proposed bill exempts “any instrumentality of the State” and some data fiduciaries and organisations that process data for law enforcement or judicial reasons, noted The Quint. For every instance of violation of the provisions of the bill, the highest penalty of up to Rs 250 crore can be levied. The Bill ‘stands the test of time’ In an interview with news agency PTI, Union minister Rajeev Chandrasekhar said several consultations were held regarding the bill and it is a “truly world-class piece of legislation". “I have absolutely no doubt that the DPDP Bill will create deep behavioural changes among platforms in India who have for long exploited and misused personal data”.

The MeitY official told ThePrint that “minor changes” have been made in the bill without disclosing details. “We consulted with about 48 organisations… we have drafted the bill in a manner that it stands the test of time even as the technology keeps changing,” the government official added. As Indian Express noted, once the data protection bill becomes law, it will be significant in India’s trade negotiations with other countries and regions such as the European Union. What changes to expect? The amended provisions of the draft personal data protection bill will come to light once it is introduced in Parliament. But, as per the Indian Express report, one of the changes to the bill includes its treatment of cross-border data flows. The draft bill could allow cross-border data flows to all international jurisdictions, except the countries placed in the “negative” or “official blacklist”. “A provision on “deemed consent” in the previous draft could also be reworded to make it stricter for private entities while allowing government departments to assume consent while processing personal data on grounds of national security and public interest,” reported Indian Express. ALSO READ: Why data privacy is the bedrock of responsible corporate citizenship Concerns about the DPDP Bill In the case of users below the age of 18, their parents or lawful guardians will be considered their ‘Data Principals’, as per the November draft. Speaking to CNBC-TV18, Rama Vedashree, former CEO of the Data Security Council of India (DSCI) expressed concern about the practicality of “age-gating” and obtaining the “verifiable parental consent” to process users’ personal data. “Implementing a comprehensive compliance programme to meet these provisions around protecting children’s data is a welcome measure, but how we go about implementing it would be a challenge,” she stated. [caption id=“attachment_12834162” align=“alignnone” width=“640”]data protection bill Experts have flagged various concerns about certain provisions of the draft DPDP Bill. Pixabay (Representational Image)[/caption] Another concern is that the bill does not include a provision for compensation to affected data principals in case of a data breach. The government official said the bill leaves this to the judiciary.“The affected party can take the data fiduciary to civil court for any breach or misuse of data,” the official told ThePrint. As per Indian Express, the exemptions for the Centre and its agencies from most data protection obligations, which received wide criticism, have been retained in this new draft. Experts also earlier flagged that Clause 30 of the bill can weaken the Right to Information (RTI) Act. They worry the law will dilute the RTI Act as it is expected to protect the personal data of government officials. Apar Gupta, founder of Internet Freedom Foundation, previously wrote in an article for Indian Express that the data protection bill which mandates users to provide “verifiably authentic” information or face a penalty, compounded with the verification rules under Telecommunications Bill, 2022 could result in “the creation of a vast surveillance apparatus.” As per the draft DPDP bill, users can be penalised for up to Rs 10,000 if they furnish false information while “applying for any document, service, unique identifier, proof of identity or proof of address”. Previous effort An earlier version of the bill – Personal Data Protection Bill, 2019 – was tabled in Parliament. Following recommendations from a joint parliamentary committee, the proposed data protection bill was updated. However, last August, Union Minister of Information Technology Ashwini Vaishnaw withdrew the bill from Parliament. “Considering the report of the JCP, a comprehensive legal framework is being worked upon. Hence, in the circumstances, it is proposed to withdraw ‘The Personal Data Protection Bill, 2019’ and present a new bill that fits into the comprehensive legal framework,” the government said at the time. With inputs from agencies

Home Video Shorts Live TV