The Indian IT minister, Ashwini Vaishnaw, reintroduced an updated data privacy bill on Thursday in the lower house of the Indian parliament, months after introducing its last draft and after abruptly withdrawing a previous proposal the previous year in response to opposition from tech giants. Many members objected to the new bill, claiming it violated their right to privacy.
The Digital Personal Data Protection Bill
The legislation, known as the Digital Personal Data Protection Bill, aims to give Prime Minister Narendra Modi-led administration significant decision-making authority, as reported by TechCrunch.
These abilities include the capability to exclude certain data fiduciaries from compliance, even startups if the necessity ever arises. They may also consent to the handling of children's data if the fiduciary can show that appropriate safeguards have been taken.
Additionally, the government has the power to list the nations where the transmission of users' personal data is prohibited. This clause alters a previous version of the bill that suggested enabling data transfers to "notified countries and territories."
The law offers legal protection from legal actions for the federal government, the data protection board, and its members, including the chairwoman.
According to the law, the data protection board must be established by the national government. The board's members and chairperson will likewise be chosen by the government; each will hold office for an initial period of two years.
A member of the data protection board may only quit by giving written notice to the government, according to the bill. When this resignation is submitted, when it is approved by the government, when a replacement is named, or when the current term expires, it takes effect three months later.
If a person does not obtain an appropriate response from the data fiduciary within the required seven days, the law permits them to raise their data protection concerns to the board.
The public must also comply with the bill's demand that they give only true personal information and not pretend to be someone else. Individuals who violate the obligations outlined in the bill may be subject to penalties, including fines of up to $121 (10,000 Indian rupees). Penalties for breaking the legislation for a data fiduciary might be as severe as $30 million (250 crores of Indian rupees).
The bill states that the Telecom Disputes Settlement and Appellate Tribunal will hear appeals of the Data Protection Board's decisions for review within 60 days.
The bill requires businesses that acquire user data to get users' express consent. Simple language should be used to communicate the consent requests. Customers may later revoke their consent. The bill also includes a provision for the creation of a grievance redressal system through consent managers, which can assist users in providing, managing, reviewing, and withdrawing their consent.
Read also: US Congress Contemplates New Regulations for Tech Industry; Will TikTok Be Permanently Banned?
Exemptions To the Bill
The measure does, however, exempt "certain legitimate uses" from the demand for obtaining user consent. This is an update to the "deemed consent" clause that was included in the previous draft of the bill. It permits platforms to gather personal user information from users who willingly disclose it, like when using public services. In accordance with this clause, the government may also access users' personal information from platforms to administer subsidies or carry out other legal obligations.
In contrast to the GDPR in Europe and the CCPA (California Consumer Privacy Act) in the United States, India's approach to data privacy is less punitive and gives the federal government the authority to change the law in certain circumstances.
In 2017, the South Asian country started examining data protection. The first personal data protection bill was presented to the Indian parliament two years later, in 2019. It was withdrawn last year, though, as privacy groups and tech giants like Amazon, Google, and Meta criticized it for granting exemptions to government agencies and constricting the extent of user data protection.
Although the data privacy bill has received some criticism from the opposing political parties, it still needs to be approved by the upper house of parliament and the Indian president to become law. Giving the central government "excessive" power is one of their main concerns. The administration has come under fire from public policy experts for withholding the results of the public consultation on the draft data protection bill.
Related article: EU-US Data Privacy Framework to Make Data Transfer Between Europe and the US Possible
