Digital platforms that take user consent to process their data will ultimately be liable for data breaches under the Digital Personal Data Protection Bill, and they won’t be allowed to pass the buck on to third-party cloud service providers, Minister of State for Electronics and Information Technology Rajeev Chandrasekhar told Moneycontrol in an interview.
“It is for the data fiduciary to be very, very careful that he does not choose a geography where the law can be easily breached or broken. We have also made it very clear that we will not go looking around for who's liable for the breach. It will be the platform regardless of how many other data processors the platform uses,” he said.
“For example, if I am the platform and you are the citizen who gives me the data, I am liable to you under the Indian law liable to protect your data, regardless of whether I use the Amazon cloud in the US, the Microsoft Cloud in the UK, or any other cloud wherever in the world,” he explained.
The Bill uses the term ‘data fiduciary’ to describe those who can process a person’s data. Data fiduciaries can be anybody, including public and private bodies, that collects personal data and processes it.
The Bill further says that a data fiduciary will protect personal data in its possession or under its control, by taking reasonable security safeguards. This includes data that is being processed by a third party. If there is a data breach, the platform will have to notify the user, and the personal data protection regulator.
“The moment a data platform which will be called Data Fiduciary under the law, is operating in India and collecting data from an Indian citizen or a data principal, the law applies regardless of whether the person processes the data in Timbuktu or in London or New York or wherever. The entity is obliged under the law to protect the Indian citizen’s data,” said Chandrasekhar.
The DPDP Bill had also put a restriction on which countries Indian citizens’ data can be sent for processing, allowing only ‘trusted geographies.’ The government is expected to issue orders on which countries aren’t trusted once the law becomes operational.
“We want to check the unfettered access to data for certain big tech companies misusing personal data to further their business goals,” the minister said.
The DPDP Bill has now been passed in both the houses of the Parliament, six years after the Supreme Court ruled that the right to privacy was a fundamental right, and it fell upon the government to make legislation to protect the online data of citizens.
There have been multiple versions of the bill in the intervening period which underwent a long set of deliberations between the government, industry and civil society.
Chandrasekhar also said that the government won't have unfettered access to citizens' personal data and consent will be taken except in circumstances like national security or health emergencies.
Discover the latest Business News, Sensex, and Nifty updates. Obtain Personal Finance insights, tax queries, and expert opinions on Moneycontrol or download the Moneycontrol App to stay updated!
