The Ministry of Electronics and IT (MeitY) Friday released the revamped draft data protection Bill, three months after withdrawing a previous version that had alarmed big technology companies and the civil society.
The new Bill now being called the Digital Personal Data Protection Bill, 2022, has provisions on ‘purpose limitations’ around data collection, grounds for collecting and processing personal data, relaxation on cross-border data flows, and imposes significant penalties on businesses for violating provisions of the Bill.
The new measure is up for public consultation until December 17, and the final version is expected to be tabled in the Budget session of Parliament next year.
The proposed legislation offers significant concessions on cross-border data flows, in a departure from the previous Bill’s contentious requirement of local storage of data within India’s geography. According to the new draft, the Centre will notify regions to which data of Indians can be transferred. Sources said the conditions for selecting such regions would be based on its data security landscape and if the government can access data of Indians from there.
The Indian Express, in August, had reported that the new Bill would relax data localisation requirements and allow data flows to trusted geographies. Data localisation under the previous Bill was among the biggest issues flagged by technology companies, with firms like Meta having said that it could have an impact on its services in India.
The draft also proposes to impose significant penalties on businesses that undergo data breaches or fail to notify users when breaches happen. Entities that fail to take “reasonable security safeguards” to prevent personal data breaches will be fined as high as Rs 250 crore. If an entity fails to notify users about a data breach, the fine could go as high as Rs 200 crore. A similar penalty would be imposed if entities fail to safeguard children’s privacy. On Tuesday (November 15) The Indian Express had reported on these penalties.
National security-related exemptions have been kept intact in the new Bill. The Centre has been empowered to notify such exemptions in the interest of sovereignty and integrity of India, security of the state, friendly relations with foreign states, maintenance of public order or preventing incitement to any cognisable offence relating to any of these.
The government could also exempt certain businesses from adhering to provisions of the Bill on the basis of number of users and the volume of personal data processed by the entity. This has been done keeping in mind startups of the country who had complained that the previous version of the Bill was too “compliance intensive”. On Thursday (November 17), this paper had reported about exemptions to startups under the new Bill.
The Bill also proposes to set up a Data Protection Board to ensure compliance with the Bill. The draft Bill did not include details about the composition of the board, but said that it will be “digital by design”.