Personal data protection bill puts user first and has heavy penalties – cyber experts are happy about it

  • The data protection bill is one of the major bills to be a part of the winter session of the Parliament.
  • As per the draft bill released in 2018, global companies have to store their data locally.
  • It also asked businesses to seek user consent before taking their data – by explicitly citing the reasons for use.
One of the major bills to be introduced in the winter session of the Indian Parliament is the Data protection bill.

From the Cambridge Analytica scandal to the most recent WhatsApp data breach where an Israeli company spied over the data Indians – left many worried about using platforms they otherwise use every day.

In a digital first world where cyber attacks and breaches are common, this bill is a first step in answering the question -- who has access to my data?


The draft bill was released in 2018 requires global companies to store their data locally. It also asked businesses to seek user consent before taking their data by explicitly citing the reasons for use. However, it also said that “the State is not required to seek the individual’s consent while providing benefits or services”.

The bill has been a point of contention since it was released as corporates would have to restructure the way they work. In spite of the many pain points, experts believe that the bill is the need of the hour..

“Our research showed that 63% of Indian businesses are concerned about being exposed to cyber threats due to employee error. The bill comes at a time when data breaches have cost Indian firms dearly and IT managers having to deal with cyberattacks coming from all directions, that too with a limited budget, outdated technology and a dearth of security expertise,” said Sunil Sharma, managing director sales, Sophos India & SAARC.


The bill dictates that personal data that is collected must be processed only for purposes that are clear, specific and lawful - and that makes it a powerful law.

“As per the new Data Security Council of India (DSCI) report, India has been the second most cyber-attacks affected country from 2016 to 2018. With this law, we hope to see that corporates will use the personal data of citizens in a responsible, fair and reasonable manner that respects the privacy of the data principal,” said Neelesh Kripalani, Sr. VP and Head – Center of Excellence (CoE), Clover Infotech.

The bill also plans to levy heavy penalties for those who violate the norms. Entities which violate sensitive data are liable for a penalty of up to ₹15 crore or 4% of the total worldwide turnover, whichever is more. If non-sensitive personal data safeguard terms are violated, then the penalty will be up to ₹5 crore or 2% of the annual turnover, whichever is more.


The bill also puts the user first.

“Till now we needed to accept the company’s terms and conditions, where the company used to only state about the usage of the data. But with this bill now it will be mandatory for companies to explain, how the data will be processed or used by them which will make the data handling a transparent process. With this protection bill we will have full self-control of the data,” said Prathamesh Sonsurkar - Cyber security expert & Ethical Hacker.

Sonsurkar adds that the bill will bring transparency to the end users, and it will become difficult for the corporates to carry on with malpractices.


See Also:
Investigating the WhatsApp hack — Parliament probe might trump the judiciary
Facebook data breach continues more than a year after Cambridge Analytica