Cabinet approves bill to protect personal data; proposes imprisonment, penalty for privacy violations

NEW DELHI: The government approved Wednesday that it proposes a fine of up to 15 million rupees and up to three years in jail for company executives for violating privacy regulations.

The bill also requires the storage of critical data of individuals by internet companies within the country, while confidential data can be transferred abroad only after the explicit consent of the data owner, a source said.

Minister of Information and Broadcasting Prakash Javadekar He said the bill has been approved by the Cabinet and will be presented to Parliament during the current winter session.

The bill was drafted following a ruling by the Supreme Court in August 2017 that declared that the 'Right to privacy' was a fundamental right.

The apex court further emphasized the need for a solid personal data protection regime in its September 2018 ruling in which it considered Aadhaar as a constitutionally valid scheme, but overturned some provisions of the Aadhaar Law.

When giving details about the provisions of the bill, the source said that all Internet companies will have to compulsorily store critical data of people within the country. However, they may transfer confidential data abroad after the explicit consent of the owner of the data for processing only for the purposes allowed by the proposed legislation.

The government will define critical data from time to time. Data related to health, religious or political orientation, biometrics, genetics, sexual orientation, health, finances, etc. They have been identified as sensitive data.

A fine of up to Rs 15 million rupees or 4 percent of an entity's overall income will be imposed on the entity found guilty of a serious violation under the bill, the source said.

For minor infractions, the bill proposes a fine of Rs 5 crore or 2 percent of the total turnover. It also has the provision of the jail sentence for officials of the entity that is in breach of the provisions of the law.

The executive in charge of the company that carries out the data business would face a prison sentence of up to three years if he is found guilty of intentionally relating anonymous data with publicly available information to discover the identity of a person, called reidentify data. identified 'in technical language, the source said.

Social media companies will be required to present a mechanism to identify users on their platform who are willing to be identified voluntarily.

According to the provision, a social media fiduciary will have to give users on their platform an option to be verified. It will be voluntary for people if they want to be verified or not, the source said.

The bill has provisions to grant the right to be forgotten to data owners, as well as the right to erase, correct and carry the data.

The bill will encourage entities to start processing data in India and, with a high level of data consumption, the country is expected to become one of the largest data refinery centers in the world. The bill allows data processing only for lawful purposes. source said.

The bill exempts the processing of personal data in case of national security problems, court order, etc.

Any information that can identify an individual has been defined as personal information. While all entities will need to obtain the explicit consent of the owner of the information, in some cases, such as state security, provide relief in case of a medical emergency, detection of illegal activity, reporting of irregularities, etc. explicit consent cannot be required, the source said.

The bill requires entities in the data processing business to register with the government as data fiduciaries for the purpose of processing them.

The government will have the right to direct fiduciary data to share anonymous or non-personal data for better service targeting, policy formulation, relief work, etc., the source said.