Draft data bill proposes to amend RTI Act

In order to protect individual privacy under the draft digital personal data protection bill, the government plans to amend the Section 8.1 (j) of the Right to Information (RTI) Act that allows information commissioners to share personal details about administration officials in the larger public interest.

The words "the disclosure of which has no relationship to any public activity or interest, or which would cause unwarranted invasion of the privacy of the individual unless the Central Public Information Officer or the State Public Information Officer or the appellate authority, as the case may be, is satisfied that the larger public interest justifies the disclosure of such information" shall be omitted, the draft data bill reads.

The Ministry of Electronics and Information Technology (MeitY) released the draft digital personal data protection bill last week, prescribing financial penalties up to ₹500 crore for non-compliance.

The government also plans to establish a Data Protection Board of India which will be responsible for determining non-compliances under the legislation and imposing penalties. In the event of a personal data breach, the board may direct the company to adopt any urgent measures to remedy such personal data breach or mitigate any harm caused to individuals, according to the draft bill.

The draft bill also prescribes a penalty of up to ₹250 crore for failure of a company to take reasonable security safeguards to prevent personal data breach. It also proposes a fine of up to ₹200 crore for failure to notify the Data Protection Board and affected users.

Such penalties happen to be the highest amounts that can be ordered, according to law firm Khaitan & Co. "During adjudication of any non-compliance, the Board will take into account mitigating factors, such as gravity of contravention, duration and its repetitiveness and efforts undertaken by the entities to limit damage pursuant to the contravention, etc. while determining the quantum of penalty to be imposed," the law firm says.

While the bill is a simpler and reader friendly version when compared to its predecessors, several aspects of the bill currently appear to be vague in the absence of specific procedural guidance, it adds.

"The bill, in a significant departure from the 2019 Bill, has done away with the categorisation of personal data into sensitive personal data and critical personal data. Further, one of the most commendable aspects of the bill is that it has eased data localisation restrictions which is bound to give a thrust to India’s booming start-up economy and businesses," says Khaitan & Co.

In August 2022, MeitY withdrew the Personal Data Protection Bill 2019 (2019 Bill), which was reworked on by the Joint Parliamentary Committee (JPC), promising that they would release a more comprehensive data protection framework to take into account the recommendations of the JPC.

"This bill is certainly a step in the right direction of striking a balance between supporting innovation and protecting user rights," says Shahana Chatterji, partner, Shardul Amarchand Mangaldas & Co. "In particular we note that many obligations applicable to data fiduciaries and processors and mechanisms relating to data processing have been simplified, which will likely enable easier compliance," Chatterji adds.