Centre to table data protection law in Parliament

The Union Cabinet on Wednesday approved Data Protection Bill, which will spell out norms for handling personal data including its processing by public and private entities.

Announcing the decision, Information and Broadcasting Minister Prakash Javadekar said, the proposed legislation will be tabled in the ongoing Parliament session.

Though the Minister refused to give details of the bill, sources said that it contains broad guidelines for collection, storage, processing of personal data, consent of individuals, penalties for misuse of data and compensation, an enforcement model.

On the line of the European Union's General Data Protection Regulation (GDPR), a panel headed by a former Supreme Court judge Justice Srikrishna drafted The Personal Data Protection Bill in 2018.

All internet companies will have to mandatorily store critical data of individuals within the country, however, they can transfer sensitive data overseas after explicit consent of the data owner to process it only for purposes permitted under the law once the Bill is approved by Parliament, the source in the government said.

Data related to health, religious or political orientation, biometrics, genetic, sexual orientation, health, financial etc have been identified as sensitive data. However the government will define the critical data while framing rules, sources said.

"Data privacy law exempts processing of data without consent in case of issues around sovereignty, national security, court order etc," an official in the Ministry of Electronics and Information Technology, said.

Companies may face a penalty of up to Rs 15 crore or 4 per cent of global turnover for major violations under the law. For minor violations, a penalty of Rs 5 crore or 2 % of global turnover is proposed, the official said.

The proposed law is key for how foreign firms including Google, Facebook and Amazon, process, store and transfer Indian consumers' data.

If the company's executive in-charge of conduct of the data business can also face a jail term of up to three years if found guilty of knowingly "re-identifying de-identified data" of individuals in the country or processing them in violation of the norms laid in the Bill, a source said.

"Under the provision, a social media fiduciary will have to give users on its platform an option to get verified. It will be voluntary for individuals if they want to get verified or not," the source said.

The Bill has provisions to grant the right to be forgotten to data owners as well as the right to erase, correct and porting of data.