New Delhi: The Union Cabinet has approved the Digital Personal Data Protection (DPDP) Bill, marking a crucial step towards its introduction in the upcoming Monsoon Session of Parliament, which commences on July 20.
The DPDP Bill aims to regulate the management of personal data of residents and mandates explicit consent for data collection and use. Despite receiving more than 20,000 comments on the draft Bill, the government has declined to release these publicly. Moreover, the final Bill remains largely unchanged from the draft version circulated during public consultations last year.
Under the DPDP Bill, individuals can file complaints with the Data Protection Board of India, a body comprising technical experts, if they believe their personal data has been used without their consent. The Board will then investigate any potential breaches.
The new legislation includes specific instructions for entities collecting personal data, stipulating how such data should be stored, processed, and protected against breaches. The DPDP Bill establishes fines for violations, with penalties reaching up to Rs 250 crore per breach, and a maximum upward revision of Rs 500 crore. These fines would be imposed by the Data Protection Board of India.
The official explained that the Bill also includes provisions for voluntary admittance of a data breach, allowing entities to pay a penalty to avoid court proceedings. He added that in 90-95% of global cases, disputes are resolved at the grievance redressal stage.
The DPDP Bill, drawing on the European Union's General Data Protection Regulation (GDPR), also outlines 23 specific instances where acquiring consent for data collection is impractical, such as during emergencies or natural disasters.
However, concerns have been raised by Right to Information (RTI) activists regarding an amendment to the RTI Act, 2005. This amendment, incorporated in the DPDP Bill, would restrict government departments from sharing “personal information,” potentially inhibiting transparency and accountability of public officeholders.
The Data Protection Bill, which has evolved through multiple iterations since 2017, stems from the landmark K.S. Puttaswamy vs. Union of India case, where the right to privacy was upheld as a fundamental right under Article 21 of the Constitution.
Retired Justice B.N. Srikrishna, who chaired the initial committee to draft a data protection Bill in 2018, has criticised the current version, stating that it grants excessive leeway to the government while insufficiently safeguarding individuals' fundamental right to data privacy.