Data protection Bill tabled, penalties of up to Rs 250 crore for leaks


The government on Thursday introduced in Lok Sabha a bill outlining the lawful collection, processing and safeguarding of private data, and prescribing penalties of up to Rs 250 crore in case of breaches.


Digital platforms will need to take unconditional, free, specific, and informed consent from users presented in clear and plain language for processing their data, according to the Digital Personal Data Protection Bill, 2023.


Users will be able to withdraw consent at any point, post which the platforms must stop processing their data and erase it. Data processing in certain cases like medical emergencies, disasters, court orders and by government agencies for various purposes may not need user consent.


Every platform will need to provide a notice explaining the purpose of data processing and the rights of users. The notice has to be made available in all 22 official languages listed in the Constitution. The platforms that have already collected personal data will need to send a notice to users allowing them to withdraw their consent.


The bill has gone through over four years of work, rounds of deliberation, and multiple iterations, a dedicated law to ensure data privacy. The new version was introduced in the house exactly one year after the withdrawal of the previous draft.


The final version of the bill is a distinct framework compared to the previously proposed draft legislation on the same subject. In a big relief to the industry, the bill has allowed cross-border data transfers, voluntary undertaking of data breaches, and removed criminal penalties prescribed in the draft tabled in 2019. Personal data can be transferred to any country except certain geographies that the government may include in a blacklist.


The bill does not apply to anonymised, non-personal and offline personal data. It also does not classify data such as sensitive and critical data. To reduce litigations, the bill has provisions such as alternative dispute resolution (ADR).


The government will establish a Data Protection Board, an independent body that will examine personal data breaches and impose penalties. If the board finds a platform fails to take “reasonable security safeguards” to prevent a data breach, it can impose a penalty of up to Rs 250 crore. Failing to comply with additional obligations related to children’s data may lead to a penalty of Rs 200 crore.


However, the government can exempt certain entities including startups from the provisions of the bill, depending on the volume and nature of personal data processed by them. The government may also exempt its agencies under various circumstances.


The platforms must obtain verifiable consent of the parent before processing any personal data of a person below 18 years and in cases of persons with disability, consent from a lawful guardian. However, the government can exempt certain classes of platforms from this condition.


Processing of personal data that can have a detrimental effect on the well-being of a child will not be permitted according to the bill. Tracking and behavioural monitoring as well as targeted advertising for children will be outlawed.


Any disputes with the board’s decisions can be raised to Telecom Disputes Settlement and Appellate Tribunal (TDSAT). Importantly, the bill has set out the broad principles of data protection and nuances of legal requirements will only be clear once the government lays down the rules after the enactment of the bill.


The earliest efforts on a data protection bill began in 2017, after the Supreme Court’s 2017 judgment recognising the right to privacy as a fundamental right of citizens provided grounds for the government to bring a data privacy bill. The Ministry of Electronics and Information Technology in the same year constituted a committee of experts chaired by Justice BN Srikrishna to create a draft bill. The committee presented Draft Personal Data Protection Bill, 2018.

In 2019, the bill was tabled in parliament with some amendments and was referred to a joint parliamentary committee (JPC). However, the government withdrew the draft last year, as the JPC suggested 81 amendments and 12 recommendations in a bill of 99 sections. This was followed by a new draft released for public consultations in November 2022. The government received as many as 21,666 suggestions from industry stakeholders and legal experts.


Penalties and red cards


– Platforms may be blocked after two instances of penalties 


– Personal data can be transferred overseas freely, except to blacklisted countries


– Platforms must notify users about pre-existing datasets, giving them a chance to erase it


– Data protection impact assessment and data audits a must for big platforms


– ‘Deemed’ consent clause removed, will have equivalent exceptions


– Final Bill has 44 sections. The earlier draft had 30


Leave a Reply

Your email address will not be published. Required fields are marked *