The government on Wednesday approved the Personal Data Protection Bill which proposes a penalty of up to Rs 15 crore and up to three-year jail term for company executives for violating privacy norms.
The bill also mandates storage of critical data of individuals by internet companies within the country while sensitive data can be transferred overseas only after explicit consent of the data owner, a source said.
Information and Broadcasting Minister Prakash Javadekar said the bill has been approved by the Cabinet and will be introduced in Parliament during the current Winter Session. The bill has been drafted following a Supreme Court judgement in August 2017 that declared 'Right to Privacy' a fundamental right.
The need for a strong personal data protection regime was further highlighted by the apex court in its judgement in September 2018 in which it held Aadhaar as a constitutionally valid scheme but struck down some provisions in the Aadhaar Act.
Giving details about the provisions of the bill, the source said that all internet companies will have to mandatorily store critical data of individuals within the country. However, they can transfer sensitive data overseas after explicit consent of the data owner to process it only for purposes permissible under the proposed legislation.
"Critical data will be defined by the government from time to time. Data related to health, religious or political orientation, biometrics, genetics, sexual orientation, health, financial etc have been identified as sensitive data.
CNBC-TV18 spoke to Mishi Choudhary, data protection/technology lawyer; Siddharth Vishwanath, partner and leader, cybersecurity at PwC India; Arghya Sengupta, founder of Vidhi Centre for Legal Policy and NS Nappinai, advocate cyber law to discuss the framework of the bill.
(With inputs from PTI)