Three months after withdrawing the previous bill, the government has finally released the long-awaited draft of a new comprehensive data protection bill. The bill is expected to be introduced during the next legislative session. It is open for public feedback till December 17.
The proposed legislation seeks to protect digitally stored personal data, permits data transfer outside of India and establishes penalties for data breaches. The government has now increased the fine for breaking the rules outlined in the revised Digital Personal Data Protection Bill 2022 to Rs 500 crore.
According to the draft, a Data Protection Board of India would be established in accordance with the proposed legislation’s provisions.
It says: “If the Board determines on conclusion of an inquiry that noncompliance by a person is significant, it may, after giving the person a reasonable opportunity of being heard, impose such financial penalty as specified in Schedule 1, not exceeding rupees five hundred crores in each instance.”
THE PENALTIES
The draft proposes a graduated penalty system for data fiduciaries who process the personal data of data owners only in accordance with the Act’s provisions. The same penalties will apply to the Data Processor, which will be an entity that processes data on behalf of the Data Fiduciary.
Under the subject matter non-compliance, it is said that the “failure of Data Processor or Data Fiduciary to take reasonable security safeguards to prevent personal data breach under sub-section (4) of section 9 of this Act” would lead to a penalty of up to Rs 250 crore.
Similarly, failure to notify the Board and affected Data Principals in the event of a personal data breach, as well as non-fulfilment of additional obligations in relation to children, would be subjected to Rs 200-crore penalty.
In case of transferring the data overseas, the draft stated: “The Central Government may, after an assessment of such factors as it may consider necessary, notify such countries or territories outside India to which a Data Fiduciary may transfer personal data, in accordance with such terms and conditions as may be specified.”
FIRST DRAFT IN 2017
The first draft was introduced in 2017 by a panel led by retired Supreme Court Judge BN Srikrishna, and the draft Bill was introduced in the Lok Sabha in December 2019.
It received some criticism from a joint parliamentary committee (JPC) and was withdrawn in 2019 to be replaced by a 2021 draft.
But this was withdrawn in August 2022, citing factors such as the increased compliance burden, the changing technological landscape, and a slew of recommendations. Given that the JPC recommended nearly 80 amendments, the government decided to withdraw the existing draft and share a completely new bill.
However, earlier this week, citing a New York Times report on Google’s $391.5-million privacy settlement in the United States for allegedly misleading users into believing they had turned off location tracking, Rajeev Chandrashekhar, minister of state for information technology, said in a tweet that companies that misuse user data will face “punitive and financial” consequences once the proposed data protection law goes into effect.
“India’s #DigitalDataProtection bill will put a stop to this and ensure that any platform or intermediary that does this will face punitive and financial consequences,” he tweeted.
This type of "misuse" of custmr data violates #Privacy n #DataProtection expectationsIndia's #DigitalDataProtection bill will put a stop to this – & ensure that any Platform/Intermediary that does this will face punitive & financial consequences #DigitalIndia #IndiaTechade https://t.co/ierWNweFhn
— Rajeev Chandrasekhar ???????? (@Rajeev_GoI) November 15, 2022
In September, Union Minister Vaishnaw stated during an event that “I request everyone to evaluate the bill and come up with suggestions, each of which will be carefully considered”.
Industry’s View
As the new bill was announced by the government, Supratim Chakraborty, Partner, Khaitan and Co, told News18 that the bill appears to be lean and focused, in comparison to the earlier Personal Data Protection Bill 2019.
According to him: “Amongst key areas to watch out for is cross-border data transfer.”
He explained that the bill provides Central Government the ability to designate territories to which personal data may be freely transferred, while certain aspects remain in line with the 2019 Bill such as enhanced obligations being prescribed for data fiduciaries and data processors.
Seeking your views on draft Digital Personal Data Protection Bill, 2022.Link below: https://t.co/8KfrwBnoF0
— Ashwini Vaishnaw (@AshwiniVaishnaw) November 18, 2022
Chakraborty said: “The new bill also differs from the 2019 Bill on certain points such as categorization of personal data further into sensitive personal data and critical personal data, which has been done away with now.”
“As widely anticipated, the bill provides for stringent financial penalties for up to Rs 250 crore for certain non-compliances. With such changes, it is clear that the bill reaffirms the Government’s objective to establish a strong data protection legal regime in India and intends for companies to start with a fresh focus on privacy compliance,” he added.
Rupinder Malik, Partner, JSA, one of the leading law firms, stated the bill has simplified the proposed data protection regime and done away with some contentious clauses which caused industry pushback in earlier versions.
Malik said: “Data mirroring, data localisation requirements and overall compliances appear to be limited compared to the previous bill. The legislative intent appears to be tech and IT business-friendly, focused on facilitating cross-border data flows.”
However, according to Malik, some aspects that have been watered down could potentially reduce overall protection accorded to individual privacy rights.
“The positive bit is that the bill has been drafted in a simpler manner, with fewer ambiguities,” he noted.
Read all the Latest India News here
Comments
0 comment