Bill exempts certain government-notified fiduciaries from sharing information with their respective data owners owing to frivolous applications under RTI
The report said that data transfer and storage in other countries will be done based on mutual agreements
After being in limbo for close to three years now, a rehashed version of the draft Bill was unveiled on November 18 and will be open for public comments till December 17
Inc42 Daily Brief
Stay Ahead With Daily News & Analysis on India’s Tech & Startup Economy
With the government releasing the Digital Personal Data Protection Bill, the debate about its provisions have intensified. It now appears that even the government could be held liable in the event of a data breach.
“The Bill is mainly to make those entities accountable that are monetising data. In case of data breach, even the government is not exempted,” a source was quoted as saying by news agency PTI.
Citing frivolous applications under the Right to Information (RTI) Act that burden government departments, a source also said that the Bill would exempt certain government-notified fiduciaries from sharing information with their respective data owners.
It is pertinent to note that, under the proposed law, all data fiduciaries are answerable to data owners on information related to data processing under an RTI mandate within the Bill. It also seeks to exempt some entities from sharing information for reasons ranging from national security to the nature and volume of personal data processed.
On the sections within the Bill that allow cross-border data transfers, the source added that data transfer and storage in other countries will be done based on mutual agreement and recognition of each other.
According to the source, the proposed law’s ambit will only be limited to digital data
After being in limbo for close to three years now, a rehashed version of the draft Bill was unveiled on Friday (November 18). Called the Digital Personal Data Protection Bill 2022, the Bill will be open for public comments till December 17. Post that, the Bill will be tabled in the Parliament, which would likely happen by the next year itself.
The new Bill defines the word data alongside data fiduciaries and data principals. Apart from that, it has also narrowed the scope of the usage of personal data by companies and mandates data localisation and storage norms.
It also imposes heavy penalties ranging from INR 50 Cr to INR 500 Cr on those violating the proposed norms. The Bill also proposes establishing an online redressal forum for grievance redressal and enforcement of new norms.
“The Central Government may by notification, having regard to the volume and nature of personal data processed, notify certain data fiduciaries or class of data fiduciaries as data fiduciary to whom the provisions of Section 6, sub-sections (2) and (6) of section 9, sections 10, 11 and 12 of this Act shall not apply,” noted the Bill while talking about exemptions.
It is yet to be clear whether social media platforms could avail such exemptions as data fiduciaries. If it goes through, it could also increase compliance burdens on these big tech giants.
Meanwhile, experts and critics have come out all guns blazing against the new Bill. Former Justice BN Srikrishna, who headed the panel that submitted the first version of the privacy law in 2018, said that parts of the Bill concerning deemed consent clauses are unconstitutional.
“This is symbolic of the vague and unchecked powers that the Union government has retained for itself to frame rules at a later stage in the absence of legislative guidance,” added internet advocacy group Internet Freedom Foundation.
{{#name}}{{name}}{{/name}}{{^name}}-{{/name}}
{{#description}}{{description}}...{{/description}}{{^description}}-{{/description}}
Note: We at Inc42 take our ethics very seriously. More information about it can be found here.