New Delhi: Parliament on Wednesday approved the ‘Digital Personal Data Protection Bill’, which has provisions to determine the accountability of data protection. In this bill passed by voice vote in the Upper House today, provision has been made to enforce general and in some cases, special obligations on the bodies engaged in the protection of digital personal data and promotion of personal data. This bill has been passed in the Lok Sabha on August 7.
Communications and Information Technology Minister Ashwini Vaishnav said that everyone has seen the importance of digital transactions and it has become the need of our lives. He said, “900 million Indians have connected to the Internet and digital facilities have reached even the smallest village. In such a situation, the security of digital data is very important, in view of which this bill has been brought.
Regarding the bill, Vaishnav said that it has been discussed for many hours in many forums including the Standing Committee of Parliament in the last several years. He said that 48 organizations and 39 departments and ministries discussed it and 24,000 suggestions and ideas were received from them. He said that adequate provisions have been made for data security in the Bill. He said that whatever data will be collected, according to the law, it will be used for the specified work, the data will have to be deleted after use, all measures will be taken to keep the data private and it will be the responsibility of the data collector. That it will protect the data in accordance with the law.
The Minister of Communications and Information Technology said that the data of any person, data coming on any platform or app will now come under the law. It has been said that this data should be used for the purpose for which it is taken. He told that a provision has been made in this that only as much data as is required should be taken and in case of a change in the personal data of a person, it should be followed accordingly. The purpose of the bill said that the data should be kept for as long as it should be kept. Vaishnav said that through this the accountability of data security has been fixed.
He said that in this, people who are reluctant to put data on social media will have the right to decide on it. The minister said that a data protection board will be formed which will look into the entire system related to data. He said that there will be experts on the board and the board will work through law and will be independent. Vaishnav said that this is the first bill in which women’s power has been fully respected and ‘she’ has been used instead of ‘he’. It has been prepared in very simple language.
After the minister’s reply, the bill was approved by a voice vote in the House. Some opposition members had given notices for amendments to the bill but due to their absence, their amendments were rejected. Earlier, participating in the discussion on the Bill, Dr. Amar Patnaik of Biju Janata Dal said that cyber crimes have also increased at the same pace as technology has progressed and has become a part of almost every person’s life. He said, “In view of this, in a huge democracy like India, the aspect of data security becomes very important.
Describing the bill as important, he said that the Supreme Court has also said that it is the right of every citizen to protect his data. Patnaik said that the bill has a provision to use the data only for the specified purpose and delete it after use, which is very important. He suggested that the Bill does not say anything about data privacy and compensation in the event of a breach when it should. Patnaik said that it should also be clarified whether the data will be kept in digital form or non-digital form and there should be a system of boards at the state level also for redressal of grievances related to it.
Know the key points of the Bill
The data protection bill is proposed legislation that aims to regulate the collection, processing, storage, and transfer of personal data of individuals in India. It also seeks to protect the privacy and rights of data subjects and to establish a Data Protection Board of India to oversee and enforce the provisions of the bill. Some of the highlights of the data protection bill are:
It defines personal data as any information that relates to an identified or identifiable individual, and sensitive personal data as any personal data that may reveal, relate to, or constitute aspects such as financial data, health data, biometric data, sexual orientation, religious or political beliefs, etc.
It requires data fiduciaries (entities that collect and process personal data) to obtain the consent of data subjects (individuals whose data is processed) before collecting and processing their personal data, except for certain exemptions such as for the provision of state benefits, compliance with the law, or in case of emergencies.
It grants certain rights to data subjects, such as the right to access, correct, erase, port, and restrict their personal data, and the right to withdraw consent at any time.
It imposes certain obligations on data fiduciaries, such as providing clear and transparent notices about the purpose and manner of data processing, ensuring the quality and security of personal data, appointing a data protection officer, and conducting data protection impact assessments for high-risk processing activities.
It establishes a Data Protection Board of India, which will consist of a chairperson and six members appointed by the central government. The Board will have the power to issue regulations, guidelines, codes of practice, and orders related to data protection. It will also have the authority to investigate, audit, inquire, adjudicate, and impose penalties on data fiduciaries for non-compliance with the bill.
It provides for a penalty of up to Rs 250 crore or 4% of the annual turnover of the data fiduciary, whichever is higher, for serious violations such as processing sensitive personal data without consent or in violation of consent. It also provides for a penalty of up to Rs 500 crore or 6% of the annual turnover of the data fiduciary, whichever is higher, for repeated violations or failure to comply with the orders of the Board.
It allows for the transfer of personal data outside India, subject to certain conditions such as ensuring adequate levels of protection in the recipient country or obtaining explicit consent from the data subject. However, it also empowers the central government to notify certain countries or entities where such transfer is prohibited.
It empowers the central government to exempt any agency of the government from the application of the bill on grounds such as national security, public order, sovereignty and integrity of India, friendly relations with foreign states, or prevention or detection of offenses.
