The government has published the much-awaited draft digital personal data protection bill that mandates penalties of up to Rs 500 crore for non-compliance and making of a regulator.
By just focusing personal data, it has done away with regulating the use of non-personal data. This draft bill will undergo extensive consultation and the government is aiming to introduce in Parliament by the next Budget Session.
The draft bill requires a data fiduciary -- i.e. an entity which processes user data -- to give an itemised notice to user on data sought to be collected, in clear and plain language. It also mandates that the user should be allowed the right to give, manage, withdraw consent from sharing his/her information.
For example, when a person closes their savings bank account, the bank has to delete his/her data pertaining to the account. Similarly, if a user deletes their social media account on a particular platform, their data has to be deleted as the bill mandates that a data fiduciary must retain personal data only so long as it is required for the purpose for which it was collected.
The bill states that a data fiduciary shall not undertake tracking or behavioural monitoring of children or targeted advertising directed at children. Before processing any personal data of a child, the fiduciary has to obtain verifiable parental consent. Moreover, non-fulfilment of these obligations relating to children can lead to penalties of up to Rs 200 crore.
In an explanatory note to the bill, the government has said that it is the responsibility of data fiduciary to ensure that data principal (user) is able to seek effective redressal of his grievances. To facilitate this, it has been provided in the bill that every data fiduciary should publish contact details of the person to whom grievances and queries can be addressed.
Although the issue of data localisation was thought to be an important part of the proposed regulation, the bill only says that the central government may notify countries or territories outside India to which a data fiduciary may transfer personal data, in accordance with terms and conditions that may be specified later.
Similar to the additional obligations placed on social media intermediaries with more than 5 million users in the Information Technology Act, 2021, the data protection bill states that a 'significant' data fiduciary, based on the volume of data processed, risk to users and elections etc, will need to fulfil certain additional obligations to enable greater scrutiny of its practices.
The draft bill also mentions a set of provisions named 'duties of data principal' that asks a user to provide authentic information while claiming the rights to erase or correct their data, not register a false or frivolous grievance or complaint with a Data Fiduciary or the Board, and not provide any false information or impersonate another person. There would also be penalties of up to Rs 10,000 for non-compliance to the 'duties'.
A fresh data protection bill was necessitated due to the withdrawal of the PDP Bill, which had garnered a lot of criticism since its first draft was formulated by the Justice BN Srikrishna Committee in 2018.
The 2019 draft of the bill was criticised over concerns regarding Section 35 of the Bill which empowered the central government to exempt any government agency from provisions of the law; and in regards to Section 12 which allowed for non-consensual processing of personal data by the state.
Discover the latest Business News, Sensex, and Nifty updates. Obtain Personal Finance insights, tax queries, and expert opinions on Moneycontrol or download the Moneycontrol App to stay updated!
Find the best of Al News in one place, specially curated for you every weekend.
Stay on top of the latest tech trends and biggest startup news.
