Data Protection Bill: This much fine entities will have to pay for violating online information of citizens

Companies, banks, and even the government's data handling agencies will now be mandated to provide details about what information they are collecting of citizens, how they are storing it, and sharing it. The entities will only be allowed to process online data of citizens only in case of "lawful purposes" but in case of violation of the norms, a maximum of ₹250 crore and a minimum of ₹50 crore would be imposed on them, including blocking of the platform.

This new mandate has come as the union government on Thursday tabled the Digital Personal Data Protection Bill 2023 in the Lok Sabha with an aim to protect the privacy of Indian citizens.

The entities such as social media companies, startups, e-commerce platforms, banks, fintech, state-backed entities etc will be imposed with a penalty of up to ₹250 crore for misusing or failing to protect the digital data of individuals, the Bill proposed on Thursday.

'LOK SABHA INTRODUCES DATA PROTECTION BILL'

Ashwini Vaishnaw, minister for electronics and Information Technology, tabled the crucial Data Protection Bill, 2023 on Thursday in Lok Sabha. However, several Parliamentarians from Opposition parties opposed the move and asked to be sent to a standing committee instead, before a voice vote allowed for the legislation to be taken up, with discussions likely over the next few days.

Vaishnaw rejected suggestions that it was a money bill. He said it was a "normal bill".

The bill which comes after six years of the Supreme Court declaring the "Right to Privacy" as a fundamental right has provisions to curb misuse of individuals' data by online platforms. In the pipeline since 2017, the law is meant to give a legal framework for privacy protections as the apex court asked the government to examine and put in place a "robust regime" for data protection in the modern era.

'WHAT DOES THE DATA PROTECTION BILL SAY?'

The Digital Personal Data Protection Bill (DPDP) 2023 proposes to tighten the noose on entities, especially online platforms like mobile apps, and social media companies like Facebook, Twitter, and Telegram on the collection and processing of personal data of users be it within the country or overseas.

Notably, the bill neither has a provision that differentiates between sensitive and non-sensitive personal data nor does it restrict the processing of data overseas unless any restricted geography is notified under the proposed norms.

EXEMPTIONS: The Bill seeks to exempt the centre and entities notified by it in some special cases related to the interests of sovereignty and integrity of India, maintenance of public order or preventing incitement to any cognisable offence, court orders, research, etc.

DATA PROTECTION BOARD: The bill moots the creation of the Data Protection Board of India to handle grievances of individuals around personal data privacy if data fiduciaries or firms using personal data fail to address individuals' complaints.

TDSAT: Any person aggrieved by an order or direction made by the Board under the Digital Personal Data Protection Act, 2023 can appeal before the telecom tribunal TDSAT and thereafter before the apex court.

NORMS FOR BIG ENTITIES: The large online platforms will be required to appoint a Data Protection Officer who will act as a point of contact for the grievance and redressal mechanisms of their users. Large online entities will also need to appoint independent data auditors to carry out data audits and evaluate the compliance of the firms in accordance with the provisions of DPDP Bill 2023.

'CENTRAL GOVT CAN BLOCK CONTENT IF…': The provisions under the bill enable the centre to block access to content in the interest of the general public on getting a reference in writing from the board. 

‘PROTECTION OF CHILDREN'S DATA’: The bill has included a mechanism to process data of children defined as individuals below the age of 18 years. In the case of children, entities will need to take the consent of the guardian. Under the proposed norms, the centre may notify the age above which the data fiduciary will be able to process data if it is done in a verifiably safe manner.

"This legislation represents a major milestone in protecting digital privacy and promoting a secure data ecosystem in India. It can potentially transform the business landscape by demanding transparency, explicit consent, data minimization, and adherence to usage limits. While organizations must allocate resources and address compliance costs, embracing these changes will allow them to navigate the regulatory environment successfully. Therefore, it is essential to prioritize the inclusion of the DPDP bill in the Board Agenda. Organizations will require leadership support and investments to implement robust privacy practices across their operations and processes. Although managing these necessary changes may present initial challenges, the long-term benefits are substantial, as customers and business partners tend to prefer working with organizations that demonstrate respect and responsible management of their data," Sandeep Gupta, Managing Director, Protiviti Member Firm for India said.