Digital Personal Data Protection (DPDP) Bill has received approval from the Union Cabinet and will be presented in the upcoming monsoon session of Parliament, as reported by PTI based on source inputs. The primary objective of this Bill is to hold entities accountable for the collection, storage, and processing of citizens' data, ensuring their right to privacy is protected. The draft of the DPDP Bill has been sanctioned by the Cabinet and will be tabled during the parliamentary session scheduled to take place from July 20 to August 11.
The impetus for the data protection Bill came after the Supreme Court's landmark ruling in August 27, recognising the Right to Privacy as a fundamental right. In response, the government withdrew the previous personal data protection Bill, originally introduced in late 2019, and presented a revised version in November 2022. Although specific changes in the Bill were not disclosed by the source, it was mentioned that most of the provisions from the draft issued by the Ministry of Electronics and IT (MeitY) in November 2022 have been retained in the approved draft.
The draft Bill underwent an extensive consultation process before being presented to the Cabinet. Approximately 21,660 suggestions were received and thoroughly considered. Consultations were held with 48 external organisations and 38 government entities, ensuring a comprehensive approach in finalising the draft. Once enacted, the Bill will require both public and private entities to obtain consent from users for the collection and processing of their data.
Criticism was directed towards the draft Bill due to concerns regarding the government's power to exempt entities from certain clauses. The draft proposed exemptions for entities notified by the government, relieving them from the obligation to notify citizens about the purpose of data collection and processing. However, the source clarified that exemptions for government or government-notified entities would only apply in special cases, such as pandemics or law and order situations.
When questioned about provisions to prevent misuse of data collected by central and state agencies, the source emphasised that there is no blanket exemption for government entities, and the Bill, once enacted, will evolve gradually. The Data Protection Board will play a vital role in resolving issues on a case-by-case basis. While the MeitY's draft Bill aimed to omit Section 43A of the IT Act, which concerns compensation for data protection violations, the source assured that victims would still have the right to claim compensation through civil courts, as determined by the Data Protection Board.
To enforce compliance, the Bill proposes penalties of up to Rs 250 crore for each violation of the prescribed norms by entities. However, if multiple individuals are affected by a violation, the impact will be assessed by the Data Protection Board, which will then determine the appropriate scale of the penalty.
Once the law is implemented, individuals will have the right to request information regarding the collection, storage, and processing of their data. The Bill does not differentiate between sensitive and non-sensitive data but establishes overarching principles that entities must follow in their data practices. It is expected that the Bill will foster a gradual evolution of data protection measures as it takes effect.