After withdrawing the controversial Data Protection Bill 2019 a few months ago, the Centre has released a new draft for the regulation. Now titled the Digital Personal Data Protection Bill, this directive aims to regulate companies’ usage and storage of Indian citizens’ data. 

This bill has been opened to the public for suggestions through the MyGov website, although the link has not been provided yet. The deadline for the public to provide comments for the bill is set at December 17, 2022. 

Incidentally, the bill has had a long history, and now represents the 4th iteration of India’s data protection regulation. The conversation for regulation of data privacy began in 2017 with the Justice Puttaswamy judgment in the Supreme Court. This historic ruling identified privacy as a fundamental right of citizens of India, prompting the Ministry of Electronics and Information Technology to constitute a committee. The report submitted by the committee—headed by retired Supreme Court Justice BN Srikrishna—formed the skeleton of what is now known as the Digital Personal Data Protection Bill.

After being tabled in the winter session of the parliament last year, the bill was rejected over concerns about the amount of power it offered to the Indian government. Not only did it place strict regulations on data outflow from India to other countries, it also allowed exemptions for government agencies and forced companies to keep a copy of their data in India. 

The criticism received by the bill prompted MeiTY to create another draft of the bill—one that was eagerly awaited by the Internet-aware citizens of India. The draft aims to establish a new regulatory board known as the ‘Data Protection Board’, which will oversee the execution of the regulation if the bill gets passed into law. 

Read: UNESCO’s Outlook on India’s Data AI Policy 

Let’s take a look into some of the key takeaways from the latest draft of the bill.

Consent For Data Collection:

The bill has made clear the specific requirements that need to be put in place for companies to collect personally identifiable information from users. First, the company must ask the data principal for their consent in “clear and plain language” that must “contain a description of personal data sought to be collected”. The user can also withdraw their consent at any time, and the regulation requires the company—and any associated data processor—to stop processing the data. 

However, a company can assume “deemed consent” for data collection in situations that warrant it. For example, a company collecting a user’s financial data for a credit score check does not require explicit consent from the user. 

Responsible data collection and management: 

Companies hold the onus of responsibility to handle user data in a secure manner. Along with “reasonable security safeguards”, companies must also notify the board in case of a data breach. 

These organisations are also expressly required to obtain “verifiable parental consent” before collecting the data of children. Moreover, they are not allowed to collect data that is likely to cause harm to a child, or engage in tracking or behavioural monitoring of children’s activities. 

Rights of users: 

Users have the right to ask companies a summary of what data is being processed and what activities are being undertaken on that data. Moreover, companies are also required to give information on the different parties they have shared the information with. 

Users also have the right to ask companies to erase their personal data, unless it is required to be held for a legal purpose. 

Transfer of personal data outside India:

One of the primary pain points of previous drafts of the bill was the fact that companies were not allowed to transfer data outside of India. The new draft amends this issue, allowing companies to transfer data to a number of countries that will be vetted by the Indian government. 

However, certain kinds of data can be exempted from this, such as data sensitive to the functioning of India as a whole. The government can also exempt companies from this law depending on the nature of personal data collected.  

Functions of the Data Protection Board:

The Board exists to determine non-compliance of the law and to impose penalties on those who do not follow the regulation. In case of a personal data breach, the regulation also allows for the Board to step in and “adopt any urgent measures to. . . mitigate any harm” caused to users. 

The Board also has the power to “inspect any data, book, register. . . or any other document”. 

Financial penalties for non-compliance:

The act levies fines up to INR 250 crores for non-compliance in the case of a personal data breach. Non-approved data collection of children—and failure to report a data breach to the Board—nets a fine of INR 200 crores. 

Another notable point is that the central government may amend the Act to increase the penalty specified in the act. However, these amendments must be proposed in Parliament before coming into law. 

While the new draft offers some much needed changes to the existing draft, there are still some issues which have not been addressed in the regulation. First is the question of whether the government can ask tech companies to hand over user data citing legal reasons. Secondly, the issue of data localisation has also not been raised in this regulation—skipping over one of the most important concerns raised by companies regarding this regulation. 

The law has been opened up to the public for suggestions by the Minister for Railways, Communications, Electronics and Information Technology, Ashwini Vaishnaw. It is left to see what shape the regulation takes when tabled in the next session of the Parliament.