The Lok Sabha today approved the Digital Personal Data Protection Bill which aims to stop the misuse and exploitation of personal data by online business entities and ensure the people’s right to privacy. The Bill provides for a stringent penalty of up to Rs 250 crore for any data breach by a business entity.
Moving the Bill for consideration and passage, Minister for Electronics and Information Technology Ashwini Vaishnaw said the focus of the Bill is to protect internet users from online harm and create a safe and trusted digital ecosystem as India is a digital economy powerhouse today.
The norms of the bill will apply to personal data collected within India from data principals online, and personal data collected offline, but subsequently digitised. It will also apply to such processing outside India if it is for offering goods or services to individuals in India.
The new legislation aims to give people more control over the use of their personal information by businesses as it lays out strict conditions for data sharing, processing and storage.
The Bill provides for a penalty of up to Rs 250 crore for data breaches, which can go up to Rs. 500 crore based on the number of breaches.
It has also introduced a new clause that allows a platform to be blocked if two or more instances of breach of provisions occur.
It has recommended the establishment of a data protection board to advise the central government in cases where a platform has to be blocked.
The bill gives certain exemptions to the government for the purposes of investigation or for the purpose of ascertaining the financial information and assets and liabilities of any person who has defaulted in payment due on account of a loan or advance taken from a financial institution.
The Bill allows for data processing without user consent under certain circumstances, such as medical emergencies, disasters, court orders, and government agency requirements.
Provisions under the Bill enable the Centre to block access to content in the interest of the general public on getting reference in writing from the board.
Regarding the transfer of personal data outside India, the Bill states that the Central Government may, after an assessment of such factors as it may consider necessary, notify such countries or territories outside India to which a Data Fiduciary may transfer personal data, in accordance with such terms and conditions as may be specified.
In major exemption, the Central Government may, by notification, exempt from the application of provisions of this Act, the processing of personal data by any instrumentality of the State in the interests of sovereignty and integrity of India, security of the State, friendly relations with foreign States, maintenance of public order or preventing incitement to any cognizable offence.
The government said during the drafting of the Personal Data Protection Bill, 2019, the entire gamut of principles was widely debated and discussed. These include rights of individuals, duties of entities processing personal data and regulatory framework, among others.
The bill continues to have stringent conditions for processing data of children and parental consent is a must for processing data of minors with certain exemptions. The bill also states that undertaking tracking and behavioural monitoring of children is prohibited a part from certain exemptions.