A draft of the new and updated Digital Personal Data Protection Bill, 2022, was unveiled on Friday of last week, and it is more focused on personal data than a previous convoluted form by the Ministry of Electronics and Information Technology. The most recent version of the Act has harsh penalties for not following it, but they are not tied to how much money the business makes.
In case you don’t know, this is the fourth version of a data protection law in India and has a provision that proposes to amend the Right to Information Act 2005. The Justice Srikrishna Committee, set up by the Ministry of Electronics and Information Technology (MeitY), proposed the Personal Data Protection Bill, 2018.
Seeking your views on draft Digital Personal Data Protection Bill, 2022.
Link below: https://t.co/8KfrwBnoF0
— Ashwini Vaishnaw (@AshwiniVaishnaw) November 18, 2022
Reworked legislation includes substantial fines for noncompliance, which are capped without any link to the entity’s turnover. It has also simplified laws on cross-border data flows, which might help IT firms, and made start-up compliance easier.
Two possible red flags include a broad exemption for government organizations from some of the bill’s onerous requirements and a diminution of the Data Protection Board’s remit, which is to supervise the proposed legislation.
The Ministry of Electronics and IT (MeitY) says the new draft strikes a careful balance and learns from worldwide techniques while maintaining alignment with the Supreme Court’s verdict on privacy as a basic right, but with acceptable constraints.
About the bill
- According to the bill’s explanatory note, it establishes the rights and duties of citizens (Digital Nagrik) and the data fiduciary’s obligation to use gathered data responsibly.
- The measure is built on the principles of the data economy: first, organizations must use personal data lawfully, fairly, and transparently. Second, personal information should be used only for the purpose for which it was collected.
- The government introduced the bill because there are over 76 crore active internet users (Digital Nagriks), and this is likely to reach 120 crore in the coming years (1.2 billion).
- The bill not only penalizes corporations for data breaches, but it also recommends a Rs. 10,000 charge on individuals for supplying fake information, impersonating others, and making bogus complaints against social media platforms.
- The act marks the first time the administration has used “her” and “she” officially to refer to individuals irrespective of gender, as opposed to “he” and “him.”
- A data fiduciary or processor must notify the board and each impacted data principal of a personal data breach. Under contract, Data Fiduciary exclusively stores personal data. In this bill, the government increased fines for some corporations to Rs 500 crore.
Fines for data breaches could reach Rs 250 crore. Failing to take reasonable security precautions to prevent personal data breaches might result in fines of up to Rs 250 crore.
The 2019 law proposes a Rs 15 crore or 4% worldwide turnover penalty. In the event of a personal data breach or the non-fulfillment of additional child-related requirements, the suggested penalties are up to Rs. 200 crore.
Failure to meet their obligations will result in a Rs. 150 crore fine for Significant Data Fiduciaries. Entities need parental approval for children’s data. A data fiduciary won’t watch children’s behavior’s or tailor advertisements to them.
The draft’s clause 30 reads as follows:
The following changes must be made to clause (j) of sub-section (1) of section 8 of the Right to Information Act, 2005:
- (a) The words “the disclosure of which has no relationship to any public activity or interest, or which would cause unwarranted invasion of the privacy of the individual unless the Central Public Information Officer or the State Public Information Officer or the appellate authority, as the case may be, is satisfied that the larger public interest justifies the disclosure of such information” shall be omitted;
- (b) If the proposed changes are approved by Parliament, Section 8(j) of the RTI Act will read “information that relates to personal information.” In other words, the exposure of personal information will be completely prohibited.
The Ministry has requested public comments on the proposed bill
The bill is up for public comment through December 17, 2022, and it is expected to be introduced the following year during the budget session.
According to the Digital Personal Data Protection Bill, 2022
If the Board determines at the conclusion of an inquiry that noncompliance by a person is significant, it may, after giving the person a reasonable opportunity of being heard, impose such a financial penalty as specified in Schedule 1, not exceeding rupees five hundred crore in each instance