Cabinet clears Data Protection Bill

The Union Cabinet on July 5, 2023 cleared the Digital Personal Data Protection (DPDP) Bill, a senior government official said. The clearance paves the way for the Bill to be introduced in Parliament in the upcoming Monsoon Session, scheduled to begin on July 20, 2023.

The Union Cabinet on Wednesday cleared the Digital Personal Data Protection (DPDP) Bill, a senior government official said. The clearance paves the way for the Bill to be introduced in Parliament in the upcoming Monsoon Session, scheduled to begin on July 20. Along with the data protection law, the Union government may also table the Indian Telecommunications Bill, a draft of which was circulated in a public consultation last year. The telecom Bill would overhaul the Telegraph Act, which is the legal framework for telecom firms and internet service providers.

The data protection legislation specifies norms on management of personal data of Indian residents and requires explicit consent from people whose data is collected and used.

The official said that over 20,000 comments were received on the draft Bill though these will not be put out in public domain. He also said that there has not been much change between the draft that was circulated in public consultation and the final Bill, which will be tabled in the parliament. The Union government has refused to provide copies of comments from industry, civil society, and government bodies on the Bills in response to Right to Information requests.

The Bill essentially allows laypersons to complain to the Data Protection Board of India, consisting of technical experts constituted by the government, if they have reason to believe that their personal data has been used without their consent - for example, cell phone numbers or Aadhaar details. “The Board will institute an investigation into the breach,” the official said.

It is not clear what changes, if any, have been made to the DPDP and telecom Bills following consultation processes. Minister of Electronics and Information Technology Ashwini Vaishnaw said in May that the telecom industry had held extensive meetings with the Union government after the public draft of DPDP Bill was released in November.

The DPDP Bill also outlines practices for entities that collect personal data, how that data should be stored and processed to ensure there is no breach, as well as rights of the persons whose data is being used. The Bill draws from an EU law - The General Data Protection Regulation - and benchmarks 23 instances in which taking consent for recording data is not possible. “These are special circumstances like golden hour during an accident or natural disasters and so on,” the official said.

The official further said that the Bill has a clause for offering voluntary undertaking in case an entity wants to admit that a breach has occurred and pay penalty as mitigation measure to avoid court litigation. “Penalty of up to ₹250 crore could be levied for each instance of breach with an upward revision of ₹500 crore,” the official said. Fines for individual offences would begin from ₹10,000.