Cabinet Approves Data Protection Bill 2023, Minor Changes Incorporated As Per Sources

The Union cabinet has approved the Personal Data Protection Bill, paving the way for its introduction in the upcoming Monsoon session of Parliament, according to sources. This version of the bill, initially released for public consultation in November last year, incorporates minor changes based on stakeholder feedback.

The need for this bill arose after the withdrawal of the data protection bill proposed by the Justice BN Srikrishna Committee in 2018, which faced criticism for its complexity and burdensome requirements, including data localization for industries.

The proposed legislation is likely to be tabled during the upcoming monsoon session of Parliament. The Centre had earlier told the Supreme Court that the new bill was ready and would be introduced in upcoming session, as per a report in Livemint.

Penalty For Data Breach

The proposed legislation aims to enforce strict regulations regarding the collection of personal data and emphasizes the requirement for consent from individuals. It also includes provisions for imposing significant penalties, with fines reaching up to ₹500 crore, on individuals and companies that fail to prevent data breaches. These breaches encompass accidental disclosures, unauthorized sharing, unauthorized alteration, or unauthorized destruction of personal data. The legislation intends to enhance data protection measures and ensure accountability in handling personal information.

Unlike the previous bill, the new version focuses solely on personal data and removes regulations on non-personal data. It also eliminates the mandatory local storage of user data by businesses, allowing for data storage in "trusted geographies."

Under the draft bill, data fiduciaries, entities processing user data, must provide users with itemized notices in clear and simple language regarding the data to be collected. The bill also grants users the right to give, manage, and withdraw consent for sharing their information.

For instance, when an individual closes a savings bank account, the bank must delete the relevant data. Similarly, if a user deletes their social media account, the platform must delete their data. The bill mandates that data fiduciaries retain personal data only as long as necessary for the purpose for which it was collected.

Regarding children's data, the bill prohibits data fiduciaries from tracking or behaviorally monitoring children or conducting targeted advertising aimed at children. Verifiable parental consent is required before processing any personal data of a child. Non-compliance with these obligations regarding children can result in penalties of up to INR 200 crore.

Earlier, Minister for Electronics and Information Technology Ashwini Vaishnaw stirred controversy by claiming that the Parliamentary Standing Committee on IT had "approved" the bill. However, committee members disputed these claims.

The previous version of the bill, the Personal Data Protection Bill, 2019, was referred to a Joint Parliamentary Committee after being tabled in Parliament. The committee reviewed it for over two years before submitting its report in December 2021. The government subsequently withdrew the bill in August 2022, citing compliance-related concerns.

Applicability Of Data Protection Bill 2023

The law will apply to personal data collected online or offline but digitized. It will also extend to the processing of personal data outside India if it involves profiling Indian individuals or offering goods or services within India. The law exempts the processing of data in India for individuals located outside the country under cross-border contractual arrangements, which includes the outsourcing industry.

Consent remains the primary basis for processing personal data, requiring it to be freely given, specific, informed, and an unambiguous indication through clear affirmative action. Consent can be withdrawn, with the consequences borne by the data subject. The bill also includes other grounds for processing personal data, such as compliance with laws, court orders, and actions related to epidemics or law and order situations.

The concept of legitimate interest is addressed in various ways, including situations where consent is deemed to have been given. However, it remains unclear whether private enterprises can utilize these grounds, given the requirement for processing to be in the public interest. There is also a provision for "fair and reasonable purpose," but the government must notify what is considered fair and reasonable, taking into account the legitimate interests of the data fiduciary.

One important ground is when the processing of personal data is "necessary," and the data is provided voluntarily, with a reasonable expectation that the data subject would provide such data. This provision, although potentially significant for businesses that do not rely on consent, may benefit from clearer drafting.

Also Read: Internet Suspension Extended In Manipur Till July 10 Amid Ongoing Violence