The Ministry of Electronics and IT (MeitY) recently released the revamped draft data protection Bill.

 

Details

The first draft of the Bill was presented by an expert panel headed by Justice B.N. Srikrishna in July 2018.

 

Digital Personal Data Protection Bill, 2022

  • The new Bill now being called the Digital Personal Data Protection Bill, 2022, has provisions on ‘purpose limitations’ around data collection, grounds for collecting and processing personal data, relaxation on cross-border data flows, and imposes significant penalties on businesses for violating provisions of the Bill.
  • Cross-border data flows — The proposed legislation offers significant concessions on cross-border data flows, in a departure from the previous Bill’s contentious requirement of local storage of data within India’s geography. According to the new draft, the Centre will notify regions to which data of Indians can be transferred.
  • Penalties The draft also proposes to impose significant penalties on businesses that undergo data breaches or fail to notify users when breaches happen.
  • Entities that fail to take “reasonable security safeguards” to prevent personal data breaches will be fined as high as Rs 250 crore.
  • If an entity fails to notify users about a data breach, the fine could go as high as Rs 200 crore.
  • Data localisation The new Bill would relax data localisation requirements and allow data flows to trusted geographies.

 

Exemptions

  • National security-related exemptions have been kept intact in the new Bill.
  • The Centre has been empowered to notify such exemptions in the interest of sovereignty and integrity of India, security of the state, friendly relations with foreign states, maintenance of public order or preventing incitement to any cognisable offence relating to any of these.
  • The government could also exempt certain businesses from adhering to provisions of the Bill on the basis of number of users and the volume of personal data processed by the entity.
  • This has been done keeping in mind startups of the country who had complained that the previous version of the Bill was too “compliance intensive”.
  • Data Protection Board — The Bill also proposes to set up a Data Protection Board to ensure compliance with the Bill. It can impose a penalty of up to ₹500 crore if non-compliance by a person is found to be significant.