New Revised Data Protection Bill
The revised data protection Bill, which was released by the Ministry of Electronics and IT (MeitY) on Friday, has several important provisions, including easing cross-border data flows, increasing penalties for data breaches and non-compliance, and enabling the government to exempt state agencies from the law in the interest of national security.
The government retracted an earlier document three months before its release, leading to opposition from Big Tech and several segments of civil society. The new plan was released three months later.
New Features Added
The new draft, now known as the Digital Personal Data Protection Bill, 2022, includes clauses on “purpose limitations” for data collection, specific grounds for collecting and processing personal data, fines ranging from Rs 50 crore to Rs 500 crore, and a Data Protection Board acting as the adjudicating body to enforce Bill’s provisions.
The final version is anticipated to be presented during Parliament’s budget session the following year. The data protection bill draft is available for public comment until December 17. In contrast to the previous Bill’s more than 90 clauses, the current one only had 30. However, the revised Bill has left out certain essential elements of its provisions that would be clarified in later rules.
In contrast to the contentious necessity of local storage of data within India’s geography in the previous Bill, the new draft makes major concessions on cross-border data transfers.
Bill would Loosen the Restrictions on Data Localization
The Center will warn areas where Indians’ data may be transmitted, according to the new draft. According to sources, the criteria for choosing such places would be based on their data security environment and if the government could access Indians’ data there. On August 14, The Indian Express stated that the new Bill would loosen the restrictions on data localization and permit data flow to reliable regions.
The export of undefined “essential” personal data outside of India was prohibited under the previous Bill, which required enterprises to keep a copy of certain “sensitive personal data” of individuals, such as financial and health information, on Indian soil. One of the greatest worries raised by the technology industry was that it would have an effect on the services offered in India by businesses like Meta.
The Bill takes a somewhat accommodative stance toward the need for data localization and allows data flow to specific international locations depending on predetermined evaluations. Rather than being forced to build substantial infrastructure in India for the storage and processing of personal data, this is expected to encourage country-to-country trade agreements and make it relatively easy for international corporations to operate and process data with their current setup.
Data Protection Board & Exemption to Centre’s Authorities
In order to ensure that the Bill is followed, the Bill also suggests creating a Data Protection Board. The draft stated that the board will be “digital by design,” but it did not go into specifics on its makeup. Users will have the right to update and erase their personal data held by businesses if it is inaccurate, and companies will be obligated to stop keeping user data if it no longer serves the intended commercial purpose.
Similar to the prior 2019 version, national security-related exemptions have been preserved. In the interest of maintaining India’s sovereignty and integrity, the security of the nation, good relations with other nations, maintaining public order, or preventing incitement to any cognizable offense, the Centre has been given the authority to exempt its agencies from adhering to Bill’s provisions.
Depending on the number of users and the amount of personal data processed by the institution, the government may also exempt some companies from Bill’s requirements. The country’s startup ecosystem, which had complained that the previous version of the Bill was too “compliance intensive,” has been taken into consideration when doing this.
Imposing Stiff Fines on Companies that Violate User Privacy Rights
The Indian Express reported on start-up exclusions under the new Bill on Thursday, November 17. The draft also suggests imposing stiff fines on companies that violate user privacy rights or fail to notify customers when such violations occur. A fine of up to Rs 250 crore would be imposed on organizations that do not implement “reasonable security precautions” to avoid breaches of personal data.
The penalty for failing to alert users and the Data Protection Board about a data breach might reach Rs 200 crore. If organizations fail to protect children’s privacy, a comparable fine would be applied. The most severe punishment that can be levied on a corporation is Rs 500 crore for each infringement.
Notably, the Bill also establishes user penalties. According to the policy, a user may be penalized up to Rs 10,000 if they provide fraudulent identification when registering for an online service or file baseless complaints