Data Protection Bill Receives Cabinet Green Light; Anticipated Introduction in the Monsoon Session of Parliament
The Digital Personal Data Protection (DPDP) Bill, recently approved by the Union Cabinet, aims to enhance accountability and transparency regarding the collection, storage, and processing of citizens’ data by entities such as internet companies, mobile apps, and businesses. The bill will be presented during the upcoming monsoon session of Parliament, scheduled from July 20 to August 11.
The development of the data protection bill began after the Supreme Court recognized the “Right to Privacy” as a fundamental right in August 2017. The government withdrew the previous version of the bill in August 2022 and introduced a new draft in November 2022.
The approved draft incorporates most of the provisions from the November 2022 draft issued by the Ministry of Electronics and IT (Meity), although specific changes were not disclosed. The draft underwent extensive consultations, with around 21,660 suggestions received and considered, involving 48 external organizations and 38 internal government entities.
Once the bill is enacted, both public and private entities will be required to obtain consent from users before collecting and processing their data. The draft bill faced criticism for granting the government the power to exempt certain entities from various clauses. The source clarified that while some exemptions may exist for government or government-notified entities in exceptional cases such as pandemics or law and order situations, there is no blanket exemption for government entities.
To address potential misuse of data collected by central and state agencies, the bill does not provide a blanket exemption for government entities. Disputes regarding data protection will be resolved by the Data Protection Board on a case-by-case basis. While the Meity’s draft proposed omitting Section 43 A of the IT Act, which pertains to compensation for data protection violations, victims will retain the right to claim compensation through civil courts.
The bill suggests imposing penalties of up to Rs 250 crore for each instance of norm violation by entities. However, in cases where multiple individuals are affected, the Data Protection Board will assess the impact and determine the appropriate scale of the penalty.
Once the law is implemented, individuals will have the right to seek information about the collection, storage, and processing of their data. The bill does not differentiate between sensitive and non-sensitive data but establishes general principles for data collection, storage, and processing.
Overall, the DPDP Bill seeks to enhance data privacy rights, promote accountability among entities handling personal data, and establish a framework for resolving disputes and compensating victims of data protection violations.