Data Protection Bill Gets Cabinet Nod

India’s Digital Personal Data Protection Bill was cleared by the Union Cabinet last evening, thus paving the way for voluntary disclosure of data breaches by companies and the establishment of an alternate dispute resolution mechanism. The next step is for the ministry of electronics and information technology (MeiTY) to table the Bill in Parliament in the next session. 

The draft bill has removed most criminal provisions for data breaches that were available in the previous versions of the Bill. Instead, it has created an empowered Data Protection Board that can penalize enterprises of up to Rs.250 crore in case of such breaches. These fines can go up to Rs.500 crore post approvals, requiring no further amendments to the law. 

A major shift towards voluntary disclosures

A report published by ET quotes official sources to suggest that voluntary disclosure mechanism was similar to the plea bargain method in law. This means that companies can volunteer information and admit to a breach of any kind in their data security protocols and pay up the necessary penalties to avoid legal complications. 

The officials also were quoted as saying that the grievance redress mechanism for companies was the first step of the process. The second involves the Board and thereafter the matter would be referred to the courts. The reports also noted that safety of children online was a critical part of the new Bill. 

The final version of the Bill is also meant to fulfill the government’s undertaking to the Supreme Court for introducing effective data protection. The undertaking was given back in 2017 when the Apex Court had held the right to privacy as a fundamental right, albeit under the ambit of a governance framework. 

Owners can seek deletion of their data

The Bill also prioritizes consent of the owner of data before it is given or is deemed to have been given. There have been questions raised about the exceptions that have been provided to the government and its agencies on this matter. Reports now indicate that the approved Bill seems to contain most provisions contained in the original version. 

The Bill, which should be tabled during the upcoming monsoon session, should get passed by both Houses of Parliament, following which data principals can ask companies to delete data that was collected before the data protection regime came into existence. Last November, the government released a draft of the Bill for public consultations. 

In addition to creating voluntary disclosures, the Bill has also introduced some provisions under the alternate dispute resolution mechanism that would allow two parties to settle their complaints with the help of a mediator. 

Gowree Gokhale, Leader of the IP, Technology, Media and Telecom Practice at Nishith Desai Associates.

“Digital Personal Data Protection Bill is a much awaited legislation. The last version of the Bill was much simpler form than the earlier versions. Various industries had given feedback on several aspects e.g. cross border transfer, handling of children’s data, deemed consent provisions, the powers of the board in levying penalties. Hopefully, the government has addressed industry concerns in the next version. The government has been given rule making power on several areas. The industry will need to work closely with the government so that the rules are simple and implementable, especially for the start-up ecosystem.”

Amit Jaju, Senior Managing Director, Ankura Consulting Group (India)

“The Indian Personal Data Protection Bill, 2022, is a significant step forward in establishing a comprehensive framework for data protection in India. It introduces key concepts such as data fiduciary and data principal and emphasizes the importance of consent in data processing. However, the bill also raises some concerns. The provision for “deemed consent” could potentially be misused, leading to data collection without explicit consent. The bill’s application to data processed outside of India could also have significant implications for multinational companies. Additionally, the effectiveness of the Data Protection Board will depend on its independence and the resources available to it.

 Overall, the bill is a significant step towards protecting personal data, but it requires careful implementation and continuous review to ensure that it effectively protects individuals’ rights.

 When compared to the EU General Data Protection Regulation (GDPR), there are several similarities, such as the emphasis on consent, the rights of the data subject, and penalties for non-compliance. However, there are also some differences. For example, the GDPR has stricter regulations on data transfer outside the EU and includes a “right to be forgotten,” which allows individuals to request the deletion of their data under certain circumstances. The Indian bill, on the other hand, focuses on the establishment of a Data Protection Board, which is not a feature of the GDPR.”