The Digital Personal Data Protection Bill 2022 is the new Bill. It contains provisions about data collection and grounds, data processing, data flow restrictions, and significant penalties for businesses who violate the Bill’s provisions.
Public consultation is open until December 17th, and the final version will be presented to Parliament in the Budget session next year.
In stark contrast to the controversial requirement that data be stored locally within India’s territory, the proposed legislation makes significant concessions regarding cross-border data flows. The Centre will notify Indian regions where data can be transferred, according to the draft. Sources claim that the criteria for selecting these regions will be determined by the data security of the region and whether the government has access to Indian data from the area.
In August, the Indian Express reported that the new Bill would ease data localization requirements and allow data flow to trusted geoographies. Meta, a technology company, said that the Bill could impact its services in India.
Businesses that suffer data breaches or fail notify users of breaches will be subject to severe penalties according to the draft. Companies that fail to implement “reasonable security precautions” to protect personal data will face a Rs 250 crore fine. A fine of up to Rs 200 crore could be imposed on entities that fail to notify their users about data breaches. Similar penalties could be applied to entities that fail to protect children’s privacy. These penalties were reported by The Indian Express on Tuesday, November 15.
The new Bill retains national security-related exemptions. In the interests of sovereignty and integrity in India, security of India, friendship with foreign states, maintenance or prevention of incitement to any cognisable offense relating to any of them, the Centre has been empowered by the new Bill to notify such exemptions.
On the basis of the number of users or the volume of personal data processed, the government could exempt certain businesses. The country’s startups had complained about the Bill’s previous version being too strict. This exemption was made in light of their concerns. This paper reported on Thursday (17 November) about exemptions for startups under the new Bill.
To ensure compliance with the Bill, the Bill proposes to establish a Data Protection Board. Although the draft Bill didn’t include any details on the composition of this board, it stated that it would be “digital in design”.