New Personal Data Protection Bill includes child protection, fines but needs clarity
The much-awaited new Personal Data Protection Bill will impose up to Rs 500 crore penalty and mandates parental consent for minors, but keeps many policies open-ended, say experts.
The much-anticipated new Personal Data Protection (PDP) Bill, which was released today for public consultation, places up to Rs 500 crore penalty in case the rules are violated.
The Bill also specifies the need for verifiable parental consent in case a data fiduciary is processing personal information from anyone below the age of 18. A data fiduciary includes any person who, alone or with others, determines the purpose of processing personal data, according to the Bill released by the Ministry of Electronics and Information Technology.
It also mandates companies or individuals collecting data to provide people with a notice in plain language describing the personal data they seek, and the purpose of processing such information. A firm also needs to appoint a data protection officer or authorise a person to listen to users' queries regarding consent towards sharing their information.
In 2017, Justice BN Srikrishna set up Srikrishna Committee to recommend a data protection framework. The earlier versions of the PDP Bill, and the one released in 2019, had to be scrapped as they were perceived to not support the current digital times and many stakeholders said it would impact the startup ecosystem negatively.
Personal Data Protection: How compliant are your customer and employee onboarding?
The new draft is the fourth edition of the PDP Bill.
"This Bill is certainly a step in the right direction of striking a balance between supporting innovation and protecting user rights. In particular, we note that many obligations applicable to data fiduciaries and processors and mechanisms relating to data processing have been simplified, which will likely enable easier compliance," Shahana Chatterji, Partner, Shardul Amarchand Mangaldas & Co told YourStory.
Pushing companies to provide notices in English and other languages, which fall under the Eighth Schedule to the Indian Constitution, is a good move, according to Sumeysh Shrivastava, Manager (Public Policy), The Quantum Hub. "This means privacy and data protection will become more accessible to everyone," he added.
However, the latest edition of the Bill still seems to be a work in progress. Aspects including child protection policies and companies collecting data and not storing it in India still need some clarity.
The non-compulsion of storing data in India is a respite for many big tech players, including Meta and Amazon, as well as startups. A special provision has been created for data, which is being transferred outside of India. The central government will notify their selected countries or territories overseas after assessing various aspects. But, for now, the list of these territories has not been revealed.
"The new Bill is limited in its scope to cover only the processing of digital data, and excludes offline personal data or any non-automated processing of personal data," Anupam Shukla, Partner, Pioneer Legal, said.
"How will this affect the rights of data principals will have to be evaluated further. Rules issued under this law will provide more colour to specific elements of this bill and highlight the effectiveness of the same going ahead," he added.
Edited by Kanishk Singh