The personal data protection bill has been approved by the Union cabinet today, clearing the way for its introduction into Parliament during the upcoming Monsoon session, according to a news outlet that cited sources.
This is the version of the bill that was released for public comment by the government in November of last year. On the recommendation of stakeholders, sources claim that a few modest improvements have been implemented; nevertheless, more information is anticipated.
The Justice BN Srikrishna Committee’s decision to withdraw a previous data protection bill in 2018 after it received harsh criticism for being overly complex and placing onerous burdens on industry, among other things, led to the need for this new legislation.
The new bill does away with controlling the use of non-personal data by only focusing on personal data. Additionally, it has removed the requirement for enterprises to locally store all user data and given them the freedom to store such data in “trusted geographies.”
The proposed legislation mandates that a data fiduciary—an organisation that manages user data—provide a user with an itemised notice of the data it intends to gather, in plain and simple terms. Additionally, it stipulates that the user must have the ability to grant, manage, and withdraw consent to the sharing of his or her information.
For instance, the bank must erase the customer’s account-related data when the customer closes their savings bank account. A data fiduciary is expected to keep personal data for as long as it is necessary for the purpose for which it was obtained, so if a user deletes their social media account on a certain platform, their data must also be erased.
According to the bill, a data fiduciary is not permitted to track children or monitor their behaviour or to target them with advertisements. The fiduciary must get verifiable parental consent before processing any personal information pertaining to a child. Furthermore, failure to comply with these requirements relating to children may result in fines of up to Rs 200 crore.
A few months ago, Ashwini Vaishnaw, the minister of electronics and information technology, courted controversy when he asserted that the bill had been “approved” by the Parliamentary Standing Committee on IT. Soon after, committee members including Karti Chidambaram, John Brittas, and others denied these allegations.
It’s crucial to keep in mind that the Personal Data Protection Bill, 2019, the last iteration of this legislation, was referred to a Joint Parliamentary Committee only after being introduced in the Parliament. The JPC had been debating it for more than two years. The committee turned in its report in December 2021, and after that, in August 2022, the administration withdrew the measure due to worries about compliance.
