New Delhi: The Union government on Friday released the draft Digital Personal Protection Bill 2022, three months after withdrawing the previous draft that had come under criticism from rights activists and opposition politicians.
The new draft proposes hefty penalties – of up to Rs 500 crore – for violating the provisions of the Bill and for data breaches.
“The purpose of this Bill is to provide for the processing of digital personal data in a manner that recognises the right of individuals to protect their personal data, the need to process personal data for lawful purposes and for other incidental purposes,” an explanatory note of the draft Bill said.
The #DigitalPersonalDataProtection bill is now uploaded n is ready for comments n consultation #IndiaTechade #DigitalIndia
Pls read https://t.co/1fHHb5Qpv0
— Rajeev Chandrasekhar 🇮🇳 (@Rajeev_GoI) November 18, 2022
The new draft was released in place of the Data Protection Bill, 2019, which was withdrawn by the government in August this year. The earlier Bill was criticised for giving a blanket exemption to the Union government from the ambit of the data protection regime.
According to Indian Express, the new draft has “provisions on ‘purpose limitations’ around data collection, grounds for collecting and processing personal data, relaxation on cross-border data flows”.
The draft proposes to set up a Data Protection Board of India, which will carry on functions as per the provisions of the Bill.
“If the Board determines at the conclusion of an inquiry that non-compliance by a person is significant, it may, after giving the person a reasonable opportunity of being heard, impose such a financial penalty as specified in Schedule 1, not exceeding rupees five hundred crore in each instance,” the draft said.
It has proposed a graded penalty system for data fiduciaries that will process the personal data of data owners only in accordance with the provisions of the Act.
The same set of penalties will be applicable to the Data processor – which will be an entity that will process data on behalf of the Data Fiduciary.
The draft has proposed a penalty of up to Rs 250 crore in case the Data Fiduciary or Data Processor fails to protect against personal data breaches in its possession or under its control.
The draft has also proposed a penalty of Rs 200 crore in case the Data Fiduciary or Data Processor fails to inform the Board and data owner about the data breach.
The proposed legislation offers significant concessions on cross-border data flows, in a departure from the previous Bill’s contentious requirement of local storage of data within India’s geography.
The draft has provisions to allow entities to transfer the personal data of a citizen outside the country, a departure from the previous Bill which had called for data localisation.
The Union government will notify regions to which data of Indians can be transferred based on the “data security landscape and if the government can access data of Indians from there”, according to the Indian Express.
Cross-border data flow will be allowed in cases where the processing of personal data is necessary for enforcing any legal right or claim, for the performance of any judicial or quasi-judicial function, for the investigation or prosecution of any offence, or when the data owner is not within the territory of India and has entered into any contract with any person outside the country.
“The Central Government may, after an assessment of such factors as it may consider necessary, notify such countries or territories outside India to which a Data Fiduciary may transfer personal data,” according to the draft.
The explanation issued by the Ministry of Electronics and IT listed seven principles on which the Bill is based. This includes the usage of personal data by organisations must be done in a manner that is lawful, fair to the individuals concerned and transparent to individuals and personal data is used for the purposes for which it was collected.
The draft has a provision to ensure that only those items of personal data required for attaining a specific purpose must be collected and it must be stored perpetually by default.
“The Digital Personal Data Protection Bill is a legislation that frames out the rights and duties of the citizen (Digital Nagrik) on one hand and the obligations to use collected data lawfully of the Data Fiduciary on the other hand,” the explanatory note said.
The draft is open for public comment till December 17. The Bill is expected to be tabled in the Budget session of parliament next year.
(With PTI inputs)