The Ministry of Electronics and Information Technology on Friday released its long awaited draft of a new Digital Personal Data Protection Bill. The bill is a significantly shortened version of its withdrawn predecessor, at less than half the size, after disagreements or ‘amendments’ were proposed on almost all sections of the previous bill by the oint Parliamentary Comitee assigned to it . The scope is narrowed, too, and the bill’s provisions will not apply for “offline” personal data. Based on government utterances earlier, this should be presented in the next session of parliament.
Key Highlights
Notice: Data fiduciaries, that is, organizations collecting personal data from individuals, must provide notice of why they are doing so.
Consent: The bill requires collection of personal data to be based on “freely given, specific, informed and unambiguous indication” of user consent. Requests for consent will be required to be provided in English or any official language of India specified in the constitution. Consent should be withdrawable at any time.
A “Consent Manager” should be made available to review provided consent, and this entity should register with a Data Protection Board that will be set up by the government. Fiduciaries should obtain “verifiable parental consent” for collecting data from minors.
Retention: A data fiduciary should no longer retain information about a user (a “data principal”) if the purpose of keeping that data is no longer served.
Rights: Users should have the right to review and correct data they have provided, as well as to remove such data. They should be able to nominate someone else in case of death or incapacitation. They should have the right to have their grievances processed by the data fiduciary.
Data transfer outside India: The bill says that the government will notify a list of countries to which Indians’ data may be stored.
Exemptions: The bill’s provisions give the government wide exemptions, as “any instrumentality of the State in the interests of sovereignty and integrity of India, security of the State, friendly relations with foreign States, maintenance of public order or preventing incitement to any cognizable offence relating to any of these” will not be subject to its provisions.
Data Protection Board of India: The government will set up a Data Protection Board of India that will be “digital by design” to handle data breaches and impose fines on erring data fiduciaries. The board will be able to hold hearings and hear complaints from users. Fines of Rs 50 crore to Rs 250 crores are provided for.
The government has also published an explanatory memorandum. Submissions will be accepted through the MyGov platform, but these will not be made public, the IT Ministry said in a notice.
