Bill: Data bill: ₹250 crore fine for flouting citizen information norms | India News – Times of India

NEW DELHI: Banks, e-commerce, social media, internet companies and even the government’s data handling agencies can process your online data only for “lawful purposes” and will be mandated to provide details about what information they collect from you and how they store, use and share this, failing which they run the risk of penalties that may extend up to Rs 250 crore for a single violation, and even blocking of the platform.

These provisions emanate from the new version of the Digital Personal Data Protection Bill, introduced in Parliament on Thursday, that seeks a strict consent-based regime to protect the privacy of millions of internet users across India.

T here will also be penalties on companies if they fail to report a data breach, or fail to protect — or are found to be leaking or misusing — personal data of individuals. Users can approach an all-new redressal platform, the Data Protection Board that would be formed by the central government and among other things possess the powers to impose penalties. In cases of serious and repeated violations, the central government can even order the blocking of the platform – or of the illegal data – when recommended by the Board and after an inquiry and hearing with the company.
The new bill tabled exactly a year after the government withdrew a previous version, also aims to empower users to remove wrong information about them from the internet platforms, while allowing people to nominate someone to manage their social media accounts after they are no more, or are incapacitated to handle their information.
The need for such a provision had been increasingly felt as there have been numerous instances where incorrect information on an individual or a company continues to stay online, with not much specific legal remedy to rectify the same. “A Data Principal (user) shall have the right to correction, completion, updating and erasure of her personal data.”
Importantly, the new bill also paves the way for the creation of an all-powerful Data Protection Board (with powers akin to a civil court) — to be nominated by the central government — that would guard the interests of the users and impose penalties on the platforms for violations. Members of the board would include those having special knowledge or practical experience in the fields of data governance, administration or implementation of laws related to social or consumer protection, dispute resolution, information and communication technology, digital economy, and law. The government said that the board will function independently, just like other regulatory institutions such as SEBI, RBI and Trai.
The new bill will also put curbs on transfer of data to certain locations outside India, with the government set to stipulate geographies where it can be moved to. “The central government may, by notification, restrict the transfer of personal data… to such country or territory outside India as may be so notified.”
Giving an example of how transparency will drive into the digital ecosystem once the Bill becomes a law, the bill says, “X, an individual, gave her consent to the processing of her personal data for an online shopping app or website operated by Y, an e-commerce service provider, before the commencement of this Act. Upon commencement of the Act, Y shall, as soon as practicable, give through email, in-app notification or other effective method information to X, describing the personal data and the purpose of its processing.”
The Bill says that instead of subjecting the users to technical or long-winding approval forms, companies should seek consent which is “free, specific, informed, unconditional and unambiguous with a clear affirmative action”. The processing of the data shall be only for the specified purpose and be limited to such personal data as is necessary for such specified purpose. For example, if an individual downloads a telemedicine app, and the latter seeks consent for accessing the person’s mobile phone’s contact list, the same would not be allowed.
Importantly, the user shall have the right to withdraw the consent given for data processing at any time, following which all information about the individual will need to be erased.

Source link