The personal data protection bill can become the foundation for the country’s legal safeguards for individual privacy. Penalty for breach of information would land offenders in serious trouble.
The Union Cabinet approved on Wednesday the country’s first proposed law to regulate how individuals and organizations handle digital data of Indian citizens, introducing new provisions that, while diluting some of the contentious “localization” requirements, could now require companies to carry out the real-name verification of users, according to officials familiar with the draft. The punishment for disclosure of information in breach of lawful contract and imprisonment under the IT Act may be for a term not exceeding three years, or with a fine which may be Indian Rupees 5 million or with both.
The personal data protection bill, once approved by Parliament, will be the foundation for the country’s legal safeguards for individual privacy, which was held by the Supreme Court as a fundamental right in a ruling in 2017.
“The protection of personal data is a very important subject globally. How that will be done [here] and how work will progress keeping India’s interest and people’s interest in mind, this is what this bill is about,” said Union information and broadcasting minister Prakash Javadekar at a briefing about the Cabinet’s decisions.
“Information that is neither classified as critical nor as sensitive will not need to be storied in India if the fiduciary obtains the consent of the user to send such data abroad,” a senior official said, asking not to be named. A fiduciary is any individual or organization, whether private or government, that handles data.
“The idea behind not requiring non-sensitive, non-critical data to be mandatorily kept in India is that Indian IT entrepreneurs might be badly affected if there are retaliatory localization attempts by other countries,” a second official added.
Legal experts said the law is a crucial
first step in order to set up a legal framework that protects privacy. “The
data protection law is an imperative foundation for right to privacy,” said
Arghya Sengupta, research director, Vidhi Centre for Legal Policy. Sengupta was
among the members of the Srikrishna committee.
“There has been a lot of talk about exemptions. The data protection law cannot be turned into an anti-surveillance law. That has to be a different law. Data protection law can be the first word on the debate surrounding surveillance but not the last,” he added.