The Union Cabinet Wednesday approved the draft data protection Bill, paving the way for its introduction in the Monsoon session of Parliament. If passed, the law will become India’s core data governance framework, six years after the Supreme Court declared privacy as a fundamental right.
The Bill is one of the four proposed legislations in the IT and telecom sectors to provide the framework for the rapidly growing digital ecosystem. The Digital Personal Data Protection Bill, 2022, approved by the Cabinet, is learnt to have retained the contents of the original version of the legislation proposed last November, including those that were red flagged by privacy experts.
Wide-ranging exemptions for the Central government and its agencies, remain unchanged. The Central government will have the right to exempt “any instrumentality of the state” from adverse consequences citing national security, relations with foreign governments, and maintenance of public order among other things.
The control of the Central government in appointing members of the Data Protection Board – an adjudicatory body that will deal with privacy-related grievances and disputes between two parties – is learnt to have been retained as well. The Chief Executive of the board will be appointed by the Central government, which will also determine the terms and conditions of their service.
The fresh draft was released following the withdrawal of an earlier version from Parliament last August after nearly four years in the works, where it went through multiple iterations, a review by a Joint Committee of Parliament (JCP), and pushback from a range of stakeholders including tech companies and privacy activists.
One of the key changes to the final draft of the Bill is learnt to be in the way it deals with cross-border data flows to international jurisdictions – by moving away from a whitelisting approach, to a blacklisting mechanism.
