The Personal Data Protection Bill, which proposes to put restriction on use of personal data without explicit consent of citizens, is likely to be tabled in the next year's Budget session of Parliament, according to a source. The draft of the bill, approved by the Cabinet in December 2019, proposes a penalty of up to Rs 15 crore and up to three-year jail term for company executives for violating privacy norms.
"The time for the joint committee on the Personal Data Protection Bill has been extended to the second week of the winter session. The final bill is expected to be tabled in Parliament in the Budget session after incorporating the suggestions of the committee," the source told .
The bill was introduced in the Lok Sabha in February and has been referred to a Joint Parliamentary Committee of both the Houses, headed by BJP MP Meenakshi Lekhi, for examination and report.
The draft approved by the Cabinet in December mandates storage of critical data of individuals by internet companies within the country while sensitive data can be transferred overseas only after explicit consent of the data owner.
The bill has been drafted following a Supreme Court judgement in August 2017 that declared 'Right to Privacy' a fundamental right.
The need for a strong personal data protection regime was further highlighted by the apex court in its judgement in September 2018 in which it held Aadhaar as a constitutionally valid scheme but struck down some provisions in the Aadhaar Act.
As per the provisions of the bill, all internet companies will have to mandatorily store critical data of individuals within the country. However, they can transfer sensitive data overseas after explicit consent of the data owner to process it only for purposes permissible under the proposed legislation.
Critical data will be defined by the government from time to time. Data related to health, religious or political orientation, biometrics, genetic, sexual orientation, health, financial etc have been identified as sensitive data.
A company's executive in-charge of conduct of the data business would face a jail term of up to three years if found guilty of knowingly matching anonymous data with publicly available information to find out the identity of an individual -- called as 're-identify de-identified data' in technical parlance, under the proposed law.
Social media companies will be required to come up with a mechanism to identify users on their platform who are willing to be identified on a voluntary basis.
It will be voluntary for individuals if they want to get verified or not.
The bill has provisions to grant the right to be forgotten to data owners as well as the right to erase, correct and porting of data.