The proposed personal data protection law will require a behavioural shift in how intermediaries deal with citizens’ data, Minister of State for Electronics and Information Technology Rajeev Chandrasekhar said on December 23.
“Post the bill, the intermediaries will have to go for deep behavioural changes -- it will no longer be business as usual for them... But we don’t want it to create a sudden disruption. There will be a time period given for transition,” he said in a meeting with stakeholders.
The stakeholders came up with various suggestions related to different clauses of the Bill including the penalty regime for data fiduciaries, regarding obtaining parental consent for children, cross-border data flows and consent managers and how the government intends on regulating them. The minister also provided clarity on the deemed consent clause for the government's access to data.
On the question of cross-border data flows, Chandrasekhar said that those countries will be whitelisted that agree to recognise Indian citizen’s right to data privacy and its enforcement.
Last month, the government unveiled the much-awaited and revised digital personal data protection legislation that limits the storage of Indian citizens' data to certain trusted geographies. It, however, doesn't specify which countries are trusted geographies.
To reign in the data collection, protection and processing practices of tech companies, the bill also includes penalties of up to Rs 500 crore for non-compliance with the rules.
During the public consultation today, Chandrasekhar emphasised that the proposed data protection board will determine the mechanics of levying a penalty in case of data breaches. It will do this on the basis of the severity of the breach and the sensitivity of the personal data involved in such an incident.
The attendees at the consultation included representatives from industry, think tanks, law firms, and consumer and citizen rights groups.
The minister also cautioned that data fiduciaries must not flirt with the idea of using the provision of deemed consent to not take proper consent from users on how their data will be processed.
"There will be no opportunity for deemed consent to private sector. That door is triple-locked. If you want some data, take consent," said Chandrasekhar.
Clause 7 of the DPDP Bill has introduced the concept of "deemed consent" for processing personal data for specific purposes, such as "public interest". Industry bodies want the Bill to include "contractual reasons" for processing data with deemed consent.
"A contract can't supersede the right of the citizen to get his data protected. You can't wave a contract and say that (this allows deemed consent)," he clarified.
Moneycontrol earlier reported that Big Tech firms, including Google, Meta, Twitter, Apple and Microsoft, have sought revision in the definition of a child under the Digital Personal Data Protection (DPDP) Bill to mean an individual under the age of 13, a re-look at provisions to facilitate cross-border data transfer and around two years of a transition period for the implementation of this legislation, among others.
These requests were made in submissions by the Asia Internet Coalition (AIC) and The Software Alliance (BSA) to the Ministry of Electronics and Information Technology (MeitY) as part of the consultations on the DPDP Bill.
Discover the latest Business News, Sensex, and Nifty updates. Obtain Personal Finance insights, tax queries, and expert opinions on Moneycontrol or download the Moneycontrol App to stay updated!
Find the best of Al News in one place, specially curated for you every weekend.
Stay on top of the latest tech trends and biggest startup news.
