India is poised to establish its inaugural data security legislation as the Digital Personal Data Protection Bill successfully cleared the Rajya Sabha on August 9 through a voice vote.
Upon receiving the endorsement of President Draupadi Murmu, the bill will formally transition into law.
The bill’s passage through the Upper House follows its earlier approval by the Lok Sabha on August 7.
Evolution and Significance of the Bill
The journey towards this milestone began when the Supreme Court recognized the right to privacy as fundamental with reasonable limitations in 2016.
Consequently, diverse segments of society have advocated for the enactment of a robust data protection law.
Crucial Highlights of the Digital Personal Data Protection Bill
- The central government will wield authority to halt and regulate the transfer of data to foreign nations or territories outside India.
- Social media companies that utilize user data must ensure the safeguarding of personal information, even if accessed via third-party data processors.
- Data pertaining to children and individuals with disabilities will necessitate parental consent prior to access.
- In instances of data breaches or theft, companies are obligated to notify the Data Protection Board (DPB) and affected users.
- Appeals against DPB decisions will be addressed by the Telecom Disputes Settlement and Appellate Tribunal.
- DPB will have the jurisdiction to summon companies, conduct examinations, and scrutinize corporate records.
- DPB possesses the authority to levy fines on social media entities after thorough investigation.
- Repeated violations of other laws might lead DPB to recommend government intervention to block intermediary access.
- Social media firms are mandated to appoint a data protection officer, with users receiving requisite notifications.
- Companies could face penalties up to Rs 250 crore for infractions such as data breaches, inadequate personal data protection, or failure to notify the DPB and users of breaches.
The Journey Leading to Enactment
The initial Personal Data Protection (PDP) Bill was introduced in 2018 and subsequently in 2019.
However, it was referred to a Joint Parliamentary Committee for assessment. After two years of thorough examination, the panel presented its findings and an updated version of the PDP bill in December 2021.
In 2022, the government withdrew the PDP Bill due to compliance considerations, subsequently introducing the Digital Personal Data Protection Bill a few months later.
With cabinet endorsement in July, the bill cleared the way for introduction during the ongoing monsoon session, thus marking a watershed moment in India’s legislative landscape.