Personal data Bill: Govt likely to block platforms after two breaches

The Digital Personal Data Protection (DPDP) Bill may allow the government to block a digital platform after more than two instances of penalties for data breaches, a report by the Parliamentary Standing Committee on Communications and Information Technology revealed on Tuesday.

The report on citizens’ data security and privacy offered detailed response from the Ministry of Electronics and Information Technology (MeitY) regarding its action plan for ensuring privacy and on the much-awaited data privacy law. The government is likely to introduce the DPDP Bill, 2023, in the ongoing monsoon session of Parliament.

According to the report, representatives from MeitY stressed that the essence of the Bill has remained largely the same as the draft DPDP Bill released in November last year. However, a few sections have been broken down into multiple segments, raising the number of sections in the Bill from 30 to 44.

The Bill, which seeks to ensure the citizens’ fundamental right to privacy, has the provision of penalties of up to Rs 250 crore per incident for data fiduciaries failing to employ safeguards against personal data breaches. A data protection board will be in charge of deciding penalties in instances of data breaches.

It proposes that digital platforms provide a detailed itemised notice for taking user consent before collecting any personal data. The deemed consent clause – one of the controversial parts of the Bill – has been removed after consultation with and feedback from stakeholders. However, data processing would still be allowed without consent in special circumstances, such as complying with court orders, providing assistance in medical emergencies, responding to disasters, maintaining public order, and collecting data in connection with employment.

The government and its agencies may also be exempted from the requirement of consent to protect the sovereignty and integrity of India and for the security of the State.

The report also highlights that the Bill intends to minimise disruption by maintaining the validity of processing based on pre-existing consent unless explicitly withdrawn. Platforms will be required to inform the data principal about such already collected data.

Large platforms, designated as “significant data fiduciaries”, will be subject to additional obligations under the bill, such as appointing India-based data protection officers and conducting data protection impact assessments and audits.

“If the board (data protection board) determines on conclusion of an inquiry that breach of the provisions of this Act or the rules by the entity is significant, it may, after giving the person an opportunity of being heard, impose a monetary penalty. Also, the Central government may, on the request of the board that intimates the imposition of monetary penalty on the entity in more than two instances and advises in the interests of the general public, instruct the appropriate agencies or intermediary to block the services of the entity,” the ministry responded on the panel’s queries on clauses against the Big Tech companies responsible for data breach.

Experts argue that the new provision should be thoroughly debated before the Bill is enacted.

"While higher sanctions for repeat offenders exist in other laws as well (such as securities laws), such sanctions still need to be proportional to the harm, consistently applied, and decided while complying with principles of natural justice. Blocking of services could have several unintended consequences and adverse impacts on data principals and thus should only be the last resort. There needs to be a greater discussion on different kinds of sanctions which could be imposed on non-compliant data fiduciaries,” commented Amol Kulkarni, director (research) at policy advocacy group CUTS International.

For users below 18 years of age, platforms will need to obtain consent from parents or guardians. However, the government may outline purposes where parental consent isn't required, potentially in situations like protecting abandoned children.

Regarding provisions to protect the data of digitally illiterate individuals, the ministry suggested the consent and notice mechanisms may incorporate visual elements, allowing for easier understanding and accessibility, as the Bill progresses.

For faster resolution of disputes, the board may refer certain matters to an Alternate Dispute Resolution entity identified by the involved parties.