Even the government will be responsible for a data breach: a government source

A government source said on Saturday that the digital personal data protection bill will hold the government responsible in the event of a data breach.

The source said the draft law will only cover aspects related to digital data as the mandate of the Ministry of Electronics and Information Technology is to deal with digital space and cyberspace.

“The law is mainly intended to hold accountable those entities that monetize data. In the event of a data breach, even the government is not exempt,” the source said.

The Digital Personal Data Protection Bill exempted certain entities notified as data custodians by the government from various compliance, including sharing details for the purpose of data collection. The draft came up with various provisions to ensure that data processing entities collect data with the express consent of individuals (or Data Principles) and use it only for the purpose for which it was collected.

The draft proposed a penalty of up to Rs 500 crore should data agents or the entities on whose behalf they process data breach any provision of the bill.

“The central government may by notification, taking into account the volume and nature of the personal data processed, notify certain data custodians or the category of data custodians as data custodians” to whom certain provisions of the law do not apply, the draft said.

The provisions deal with informing the individual of the purpose of data collection, collecting children’s data, assessing risks around public order, and hiring a data auditor, among other things.

The bill proposes exempting government-notified data custodians from sharing details of data processing with data owners under the “right to information about personal data”.

The source said there were frivolous applications under the Right to Information Act that burdened government departments, and therefore the entity notified by the government was exempted from the RTI clause.

In the context of explaining the rule for allowing the transfer of data outside India, the source said that the transfer and storage of data in other countries will be done on the basis of mutual agreement and recognition of each other.