The Digital Personal Data Protection Bill (2022), now known as the Bill, contains provisions regarding data collection purpose limitations, grounds for processing personal data, relaxations on cross-border data flows and severe penalties for businesses that violate these provisions.
The public can consult the new measure until December 17th. The final version of the bill is expected to be submitted in the Budget session of Parliament next January.
The legislation proposed offers significant concessions to cross-border data flow, which is a departure from previous Bill’s controversial requirement for local storage of data within India. According to the new draft, Centre will notify Indian regions where data may be transferred. Sources claimed that such regions will be selected based on their data security and if the government has the ability to access Indians’ data.
According to the Indian Express in August, the new Bill would allow data flows to be allowed to trusted geographies and relax data localization requirements. Meta and other technology companies have expressed concern about data localisation in the Bill.
Additionally, the draft proposes severe penalties for businesses that are subject to data breaches and fail to notify users about breaches. The fine for failing to implement reasonable security measures to protect personal data could reach Rs 250 crore. The fine for failing to notify users of a data breach could reach Rs 200 crore. If entities fail to protect the privacy of children, a similar penalty could be imposed. The Indian Express reported on these penalties Tuesday, November 15th.
In the new Bill, national security-related exemptions are not affected. The Centre is empowered to notify these exemptions in the interests of sovereignty, integrity, and security of India. It also has the power to notify them in the interest of state security, national security, and friendly relations with foreign countries.
The Bill could be exempted from certain businesses based on their number of users and volume of personal information processed. This was done in consideration of startups across the country, who complained that the Bill was too restrictive. This newspaper reported Thursday, November 17th, about exemptions available to startups under this new Bill.
To ensure compliance with Bill provisions, the Bill also proposes to create a Data Protection Board. The Draft Bill did not provide details about the composition, but it said that it would be “digital by design”.