India's Cabinet Approves Digital Personal Data Protection Bill

India's Cabinet Approves Digital Personal Data Protection Bill, Paving the Way for Enhanced Data Governance

The Union Cabinet has granted approval to the Digital Personal Data Protection Bill, 2022, marking a significant development in data protection in India. The bill, which will be presented during the upcoming Monsoon session of Parliament, aims to establish a comprehensive framework for data governance in the country. This comes six years after the Supreme Court of India recognized privacy as a fundamental right. The bill, previously known as the Personal Data Protection Bill, 2019, has undergone revisions and now encompasses several crucial provisions.

The bill's scope covers the processing of digital personal data in India, whether collected online or offline and subsequently digitized. Personal data is defined as any information relating to an identifiable individual. The legislation also extends to the processing of personal data outside of India, provided it involves offering goods or services to individuals in India or profiling Indian individuals.

Regarding consent, the bill emphasizes that personal data can only be processed for lawful purposes with the explicit consent of the individual. A notice must be provided before seeking consent, and individuals have the right to withdraw their consent at any time. The bill also grants individuals specific rights, such as the right to access information, request corrections and erasures, and seek redressal for grievances related to their data. Alongside these rights, individuals have certain responsibilities, including refraining from filing false or frivolous complaints, providing accurate information, and not impersonating others.

The bill places obligations on data fiduciaries, which are entities responsible for determining the purpose and means of data processing. Data fiduciaries must make reasonable efforts to ensure data accuracy and completeness, implement security measures to prevent data breaches, and promptly inform the Data Protection Board of India and affected individuals in the event of a breach. Furthermore, data fiduciaries should discontinue retaining personal data once the purpose has been fulfilled, unless legal or business requirements necessitate further retention. It's worth noting that government entities are exempt from the storage limitation requirement.

For the transfer of personal data outside India, the central government will notify countries where such transfers can occur. Transfers will be subject to prescribed terms and conditions to ensure data protection standards are maintained. The bill also provides exemptions for government agencies in specific cases, such as those related to national security, public order, and the prevention of offenses.

To enforce compliance with the provisions of the bill, the central government will establish the Data Protection Board of India, which will adjudicate cases of non-compliance. The appointment of board members lies under the control of the central government.

The bill outlines penalties for various offenses, including non-fulfillment of obligations for children, which may incur fines of up to Rs 150 crore, and failure to implement security measures to prevent data breaches, which may result in fines of up to Rs 250 crore. The imposition of penalties will be determined by the Data Protection Board following an inquiry.

In summary, the approval of the Digital Personal Data Protection Bill, 2022 by the Union Cabinet marks a significant step toward enhancing data protection in India. The bill, along with three other proposed legislations, aims to establish a comprehensive framework for the rapidly expanding digital ecosystem in the country. Notable changes in the approved bill include a shift from a whitelisting approach to a blacklisting mechanism for data transfers across countries and stricter provisions regarding deemed consent for private entities. However, government departments retain the ability to assume consent for data processing on grounds of national security and public interest.

Thank You