India’s Data Privacy Bill is Back

India’s IT Minister Ashwini Vaishnaw brought back the redrafted Data Privacy Bill in the Lok Sabha, barely months after introducing the first draft faced rough weather from big tech companies who seemed to balk at some of the proposals. Of course, this time round, the Opposition benches want the Bill to be referred to a joint committee of Parliament as they aren’t convinced by the government’s flip-flop. 

However, the minister cited procedural jargon to suggest that there was no need for another committee to pour over the provisions of the Bill and all queries from the Opposition would be answered during the debate itself. Readers would recall that several lawmakers had protested the Bill, alleging that it violated the right to privacy of Indian citizens. 

The Digital Personal Data Protection Bill seeks to provide substantial discretionary powers to the government including waiver of certain data fiduciaries from compliance if the need arises. In addition, the bureaucracy can also permit the handling of children’s data in case the fiduciary can demonstrate adequate protection measures. 

What’s raised the hackles of privacy experts is the authority that the Bill provides to governments to designate countries where transfer of user data can be prohibited. In the earlier version, the Bill had suggested allowing data transfers to notified countries and territories. In addition, it also provides legal protection to the central government, the data protection board and its members against all future legal actions.  

What is the Digital Personal Data Protection Bill? 

For starters, it frames out the rights and duties of the citizen and the obligations to use collected data lawfully by the fiduciary at the other end. It seeks to set up a governance module to safeguard the use of personal data, set out rights and duties for users and the obligations for all the businesses using such data. There are six key principles governing data economy: 

• Collection and usage of personal data must be lawful, protected from breach with transparency maintained at all times. 
• Data collection exercises must be for a legal purpose and the data should be safely stored till the purpose is served. 
• Data minimization relates to having only relevant data being collected of individuals and serving the pre-defined purpose as the only aim. 
• Data protection and accountability 
• Accuracy of data. 
• Reporting of a data breach. 

What are some key proposals?

The Bill itself proposes data protection legislation that allows transfer and storage of personal data in some countries while raising the penalty for violations. It suggests consent before collecting personal data and provides stiff penalties to the tune of Rs.500 crore on those that fail to prevent data breaches. 

The Bill applies to processing digital personal data within the Indian territory and processing it outside of India if such processing is in connection with any profiling or offering goods or services to data principals within India. However, it does not apply to non-automated processing or processing for domestic or personal purposes by individuals and data contained in records that have been in existence for at least 100 years. 

On the issue of consent, the Bill notes that personal data of an individual can only be processed for a lawful purpose for which the concerned individual has given consent or is deemed to have given her consent. It mentions the consent should be free, specific, informed, and unambiguous. 

On data localization and cross-border transfer, the bill agrees to cross-border flow to certain countries and territories that have been permitted. It also permits relaxation in data localization requirements on a need-based basis.  

Early responses to the new Bill

In a public video address released after the bill was tabled in the parliament, Rajeev Chandrasekhar, junior IT minister, called the move a “very significant milestone in the evolution of the global standard cyber law framework.” He said the bill makes it mandatory for companies collecting and using personal data to comply with the law and should not ask for “extraneous information” irrelevant to the service or product the user receives. 

Readers would recall that the Bill was originally drafted in 2017 and it took two years for the government to table it for the lawmakers. However, it was withdrawn abruptly last year as several big tech companies including Amazon and Google raised a red flag on the number of exemptions that the Bill gave to government departments on data protection. 

All in all, public policy experts have welcomed the new Bill and lauded the government for cutting down the provisions from a whopping 90 in its earlier draft to just 30. However, they also warned that this reduction could create some ambiguity in future.