The Ministry of Electronics and IT on Friday released the new revamped Draft Data Protection Bill.
It had been withdrawn three months back earlier due to backlash from tech companies and civil society.
Digital Personal Data Protection Bill, 2022
The new bill is now called the ‘Digital Personal Data Protection Bill, 2022’.
It has certain grounds for collecting and processing external data and also has provisions to limit data collection.
It focuses on cross-border data flow and imposes hefty penalties on tech companies, for violating provisions from the Bill.
This has been laid out for public consultation and to gather the opinion of stakeholders, up to December 17, and is proposed to be tabled during the Budget session, next year in the Parliament.
The bill consists of legislation that has concessions over the localization of the data flows.
The previous bill had a requirement for local storing of data within India’s territorial geography.Â
The region would be decided on the basis of the conditions of data security in the region and the degree of accessibility of data of Indians over there.
The bill relaxes data localization requirements and allows data flow within trusted geographies.
Data localization was one of the biggest issues taken up by the techies like Meta.
They said that it would have impacted their services in the country.
Exemptions from the Draft Data Protection Bill
The exemptions to the provisions of the Bill consist of issues revolving around national security consisting of sovereignty and integrity of India, security of the state, friendly relations with foreign states and maintenance of public order, and preventing incitement.
The government has also taken into consideration to exempt certain entities to adhere to the terms of the bill conditioned on the number of users and the volume of personal data they process.Â
Read Also: Biggest data breach in AustraliaÂ
This is done to mind the space for start-ups in the country, who previously flagged voices against the previous version of the Bill, calling it too ‘compliance intensive’.
The bill also talks about proposing a Data Protection Board to ensure compliance with the provisions of the Bill.
However, it does not talk about the composition of the members or other details regarding the board.
Data Protection Bill revised with a penalty of up to 200 crore
The draft talks about imposing significant financial penalties on tech companies that breach data or fail to notify their users when such a breach happens.
Hence, the entities are required to take ‘reasonable security safeguards to prevent such breaches or face high financial penalties.
Corporations that deal with the personal data of consumers need to take reasonable safeguards to prevent forms of data breaches as it could invite hefty penalties, as high as 200 crores, with the new and revamped Data Protection Bill.
The Data Protection Board and the regulatory body proposed to give enforceability to the provisions of the Bill after the companies and tech entities were given an opportunity of trying to be heard.
The penalty might vary on the degree of non-compliance by the fiduciaries (financial entities that handle personal data).
For example, entities breaching children’s personal data could be fined somewhere around 100 crores.Â
Earlier the violations constituted a fine of 15 crores or 4% of annual turnover or whichever is high.
The bill will now be known as the ‘Digital Personal Data Protection Bill’.
The bill does not take into account non-personal data which is data that does not reveal the consumer’s identity.
Withdrawal of the previous Bill
The earlier version of the bill was withdrawn even after undergoing multiple alterations.
The government said it would come up with a comprehensive legal framework.
A bill was needed to put an end to the blatant misuse of the personal data of consumers by the company by slapping them with financial penalties.
