The Center’s drastically shortened and revised draft legislation on personal data protection proposes to drastically increase fines of up to Rs 500 crore while relaxing rules on cross-border data flow, a huge relief for big tech companies. The revised draft, now called the Digital Personal Data Protection Bill (2022), comes just three months after the central government withdrew the initial Avatar from Congress.
The draft new bill, which received stakeholder input by December 17, narrows the scope of the data protection regime to personal data protection, excluding non-personal data from that scope. This is a move welcomed by the industry.
“The Digital Personal Data Protection Bill (DPDPB), 2022, has been uploaded for public consultation today… We have made sure that all the principles of privacy which have been laid down by the Honourable Supreme Court in various judgements and basis the experience of various countries… We have included all principles…,” Minister of Electronics and Information Technology Ashwini Vaishnaw said.
The Personal Data Protection Act has been in the works for about five years. The first draft of the bill was written by B.N. It was announced by a panel of experts led by a judge. After a year-long consultation process, Srikrishna in July 2018. The draft was amended and the final bill was introduced to Parliament in December 2019. However, it was soon referred to the Congressional Joint Committee and submitted a report in December 2021. The Department of Electronics and IT withdrew the bill from Congress this August. , and said new legislation would be presented that would fit into a “comprehensive legal framework”.
On Friday, the minister added that the government had ensured that the startup ecosystem and small and medium-sized enterprises (SMEs) are not hampered by huge compliance burdens. “We tried to make it digital through our design framework. The compliance framework was designed digitally from the ground up to be a simple and easily accessible way to implement legislation,” he said.
According to the draft, a new regulatory body to be set up by the government, the Data Protection Board, could impose fines of up to 50 billion rupees (about 500 billion won) on individuals if violations of the rules are found to be serious. The bill proposes six types of penalties for non-compliance. This includes up to Rs 25 billion for failure to take reasonable security safeguards and up to Rs 20 billion for failure to notify the Board and affected users in case of breach of personal data. Up to INR 20 billion for non-fulfillment of additional obligations related to children.
A previous version of the bill imposed a fine of 15 million rupees or 4% of the global turnover of data collection or processing entities for non-compliance. However, the new legislation removes provisions for compensation for affected data subjects (i.e. owners of personal data). It is also ordered to impose a fine of Rs 10,000 on any individual who provides unverifiable or incorrect information while applying for a document, service, proof of identity or address or registering a false or trivial complaint with a data trustee (who collects and processes data). I suggest. ) or with the board.
The new legislation provides significant concessions on cross-border data flow. The National Government proposes to notify the countries or territories other than India that data trustees may transfer personal data “under specified conditions”.
The government, which hopes to introduce the bill at the plenary session of the National Assembly in February 2023, introduced the concept of a ‘consent manager’ into the bill. Noting that it is not always possible to track instances in which consent has been given to the processing of personal data, the government said the Consent Manager platform allows individuals to have a comprehensive view of their interactions with data trustees. and consent given to them.
The bill requires the consent of the individual on which the processing of personal data is based, except in certain circumstances where obtaining the consent of the data subject is “impracticable or inadvisable due to pressing concerns”. All consent requests must be presented to the data subject in clear and plain language, and there must be an option for such consent requests to be accessible in English or in the language specified in Annex VIII of the Constitution of India.
The government added that the bill was written in plain and easy language so that anyone with a basic understanding of the law could understand it.
The law states that the data subject has the right to withdraw consent at any time. Data trustees collecting personal data from individuals must provide an “itemized notice” in clear and plain language that includes a description of the personal data they are seeking and the purpose for processing that personal data.
The bill also authorizes the government to waive provisions “for the sake of India’s sovereignty and integrity” and maintain public order.
While the initial version of the draft bill recommended establishing a data protection authority to prevent misuse of personal data, the revised bill proposed an Indian Data Protection Commission to be notified by the central government.