[ad_1]
On Wednesday, the Federal Cabinet approved the data protection bill, paving the way for it to be introduced in the Monsoon session of Parliament. If passed, the law would become India’s primary data governance framework, six years after the Supreme Court declared privacy a fundamental right. The bill is one of four pieces of legislation proposed in the information and communication technology sectors to provide a framework for the rapidly growing digital ecosystem.
The Digital Personal Data Protection Bill, 2022, approved by the Cabinet, has been recognized to retain the contents of the original version of the legislation proposed last November, including those identified by privacy experts. Widespread exceptions for the central government and its agencies, remain unchanged. The central government would have the right to exempt “any state means” from negative consequences on the pretext of national security, relations with foreign governments, and the maintenance of public order, among other things.
Central government control in appointing members of the Data Protection Board — a judicial body that will handle privacy grievances and disputes between the parties — was also retained. The CEO of the board will be appointed by the central government, which will also determine their terms and conditions of service.
Released after an earlier version was withdrawn from Parliament last August after nearly four years in the works, the new draft has gone through multiple iterations, a review by a Joint Parliamentary Committee (JCP), and opposition from a range of stakeholders including technology companies and privacy activists. .
One of the major changes learned in the final draft of the bill is in the way it handles cross-border data flows into international jurisdictions – moving away from a whitelist approach, to a blacklisting mechanism.
The Indian Express earlier reported that in a move that could further liberalize the terms of data transfers, the proposed new law could allow global data to flow virtually to all jurisdictions other than a specific negative list of countries to which such transfers would be restricted – essentially the existing ones. The official black of countries where transportation is prohibited.
The draft, which was released for public consultation in November, said the central government would notify countries or territories where personal data of Indian citizens could be transferred, i.e. a whitelist of jurisdictions where data transfers are permitted.
A provision on “discretionary consent” in the previous draft could be rewritten to make it stricter for private entities while still allowing government departments to accept consent while processing personal data on the grounds of national security and the public interest.
A senior government official said the bill is expected to allow “voluntary pledge” — meaning entities that have breached provisions of the law can bring it to the Data Protection Board, which can decide to block action against the entity by accepting a settlement fee. The official said that repeating crimes of the same nature may lead to greater financial penalties.
The highest penalty that can be imposed on an entity – in calculating failure to prevent a data breach – has been set at Rs 250 crore per case. In informal conversations, government officials stressed that the definition of “per case” is subjective and can mean either a case of a data breach, or counting the number of people affected by it and multiplying it by Rs 250 crore. However, none of this is defined by law, and is open to interpretation by the Data Protection Board on a case-by-case basis.
They said implementation of the bill would be “digital by design”, and insisted the government had made “advanced” plans to that end. The consent requirements under the bill may also force companies to change the way they serve cookies on their websites, the official said, since they would have to seek specific consent for how the cookies track user activities on their site.
Digital frame repair
The Digital Personal Data Protection Act, 2022, is a key pillar of a comprehensive framework of technology regulations that the Center is building which also includes the Digital India Bill – the successor to the Information Technology Act 2000; Indian Telecom Bill, 2022; and non-personal data management policy.
[ad_2]
