Big Tech firms to appoint grievance officers under New Data Protection Rules

In what would place a higher regulatory burden on Big Tech firms, the Personal Data Protection Bill, which will be tabled in Parliament during the ongoing session, will make it mandatory for companies processing high volumes of data to appoint an India-based data protection officer. The government will notify Data Fiduciary or class of Data Fiduciaries as Significant Data Fiduciary based on factors like kind of personal data volumes they process and its sensitivity, extent of risks to the rights of individuals, public order of the state, security of the state, etc.

Besides the data protection officer, who will be the point of contact for the grievance redressal mechanism, significant data fiduciaries will also have to appoint an independent data auditor. The data auditor will evaluate the compliance of the Significant Data Fiduciary in accordance with the provisions of the Personal Data Protection Act, as per the final draft of the Bill.

Among key changes in the final version of the Bill from the draft is the reduction in the amount of penalties imposed on the companies for violating the provisions in case of a data breach. The government has capped the penalty at Rs 250 crore, while keeping the scope open for increase in amount to two times through a modification in the schedule. In the earlier version of the Bill, the government had specified the penalty at Rs 500 crore.

The Data Protection Bill will, however, go easy on startups. As per the provision of the Bill, the government may also notify certain companies and startups based on the volume of data processed which will be exempted from key provisions relating to usage and purpose of data collected from citizens.

This means that unlike big data fiduciaries, upon approval from the government, startups may not be bound by limitations such as collecting the absolute minimum data required for any purpose and limiting its usage to the intended purpose. They also may not be required to delete the data once the service for which it was collected has been delivered.

On the cross-border data share, the government will specify a list of negative countries, where personal data of users can not be transferred.

“The central government may, by notification, restrict the transfer of personal data by a Data Fiduciary for processing to such country or territory outside India as may be so notified,” the leaked version of the Bill said.

Among key changes in the revised Bill, the government has opened the scope to reduce the age cap of children to below 18 years for companies to seek parental consent before processing their data.

Meanwhile, on Tuesday, the Standing Committee on Communications and Information Technology pitched for urgent enactment of the Bill, without specifying any significant recommendations or changes.

The committee, chaired by Shiv Sena member of parliament Prataprao Jadhav, said it strongly advocates for the immediate action of enacting the Bill to protect the interests and rights of citizens in the digital age.

This is the second attempt by the government to pass the Personal Data Protection Bill in Parliament. In 2022, the government had withdrawn the Bill after it was referred to the Joint Committee of Parliament, which suggested key changes.

“Delaying the implementation of such a comprehensive framework could potentially expose individuals to various risks and compromise the privacy rights of citizens,” the committee said in a report titled Citizens’ Data Security and Privacy, tabled in Parliament on Tuesday.

Among the key recommendations, the committee has asked the government to modify the consent and notice mechanisms going forward, by including the visual elements for easier understanding by people. The committee urged the IT ministry to incorporate these enabling provisions, so as to extend its benefits to digitally illiterate individuals, ensuring their inclusion in the evolving landscape of data privacy and protection, it said.

Further, to simplify the process and avoid the need to read the entire document containing terms and conditions, the committee has recommended the government to provide a summary or gist of the terms and conditions to the Data Principal.

“However, the committee also wishes to caution the ministry about the judicious use of rule-making powers and emphasises the importance of employing them responsibly and with utmost care,” it said.

The Bill, however, witnessed backlash from Rajya Sabha MP John Brittas, who presented a note of dissent, stating that the government has given exemptions to its agencies on grounds like sovereignty and integrity of India, thereby giving itself unfettered powers. Brittas also advocated for compensation to people in case of data breach. Financial Express