The Centre’s significantly shortened and revised draft Bill on personal data protection proposes a hefty increase in penalty amounts up to ₹500 crore, while also easing rules on cross-border data flows, in a big relief for large tech firms. The revised draft — now called The Digital Personal Data Protection Bill, 2022 — comes just over three months after its earlier avatar was withdrawn from Parliament by the Central government.
The new draft Bill, on which stakeholder comments have been invited till December 17, also narrows down the scope of the data protection regime to personal data protection, leaving out non-personal data from its ambit — a move welcomed by the industry.
“The Digital Personal Data Protection Bill (DPDPB), 2022, has been uploaded for public consultation today… We have made sure that all the principles of privacy which have been laid down by the Honourable Supreme Court in various judgements and basis the experience of various countries… We have included all principles…,” Minister of Electronics and Information Technology Ashwini Vaishnaw said.
The personal data protection bill has been in the works for about five years. The first draft of the Bill was presented by an expert panel headed by Justice B.N. Srikrishna in July 2018, after a year-long consultation process. That draft was revised, and a final Bill was tabled in Parliament in December 2019. However, it was soon referred to a joint parliamentary committee, which submitted its report in December 2021. The Ministry of Electronics and IT withdrew the Bill from Parliament this August, and stated that a new bill would be presented, which fit into the “comprehensive legal framework”.
On Friday, the Minister added that the government has ensured that the startup ecosystem and small businesses are not encumbered by huge compliance burdens. “We have tried to create a digital by design framework… The compliance framework is designed right from the beginning in a digital way so that it becomes a simple, easily accessible way for implementing the Bill,” he said.
Also read | Data bill may need multiple iterations before becoming practical: experts
As per the draft, the Data Protection Board — a new regulatory body to be set up by the government — can impose a penalty of up to ₹500 crore if non-compliance by a person is found to be significant. The Bill proposes six types of penalties for non-compliance, including up to ₹250 crore for failure to take reasonable security safeguards, up to ₹200 crore for failure to notify the Board and affected users in the event of a personal data breach, and up to ₹200 crore for non-fulfilment of additional obligations related to children.
The earlier version of the Bill provided for penalties of ₹15 crore, or 4% of the total worldwide turnover of any data collection or processing entity, for violating provisions. However, the new Bill does away with the clause for compensation to affected Data Principals (that is, those whose personal data it is). Additionally, it proposes to impose a penalty of ₹10,000 on individuals providing unverifiable or false information while applying for any document, service, proof of identity or address, or registering a false or frivolous complaint with a Data Fiduciary (who collects and processes the data) or with the Board.
The new Bill provides for significant concessions on cross-border data flows. It proposes that the Central government will notify countries or territories outside India to which a Data Fiduciary may transfer personal data, “in accordance with such terms and conditions as may be specified”.
The government, which is hopeful of introducing the Bill in the Budget session of Parliament in February 2023, has introduced the concept of ‘Consent Managers’ in the Bill. Pointing out that it is not always possible to keep track of the instances in which one has given consent to the processing of personal data, the government said that a consent manager platform will enable an individual to have a comprehensive view of her interactions with Data Fiduciaries and the consent given to them.
The Bill requires the consent of the individual to be the basis for processing of their personal data, except in certain circumstances where seeking the consent of the Data Principal is “impracticable or inadvisable due to pressing concerns”. Every request for consent will need to be presented to the Data Principal in a clear and plain language, and an option to access such a request for consent in English or any language specified in the Eighth Schedule to the Constitution of India.
The government added that the Bill has been drafted in a plain and simple language so that even a person with basic understanding of law is able to understand its provisions.
The Data Principal shall have the right to withdraw her consent at any time, the Bill stated. Data Fiduciaries collecting personal data from individuals will need to provide “itemised notice” in clear and plain language containing a description of personal data sought and the purpose of processing of such personal data.
The Bill also gives the power to the government to offer exemption from its provisions “in the interests of sovereignty and integrity of India” and to maintain public order.
While the earlier version of the draft Bill had recommended that a Data Protection Authority be set up to prevent misuse of personal information, the revised Bill has proposed a Data Protection Board of India which will be notified by the Central government.
