The draft Digital Personal Data Protection Bill 2022 has now been released by the Ministry of Electronics and IT (MeitY), and the government is now asking for public comments and consultations on the bill. Expected to be presented in the next session of parliament, the measure, aimed at protecting digital personal data, seeks to allow transfer of data outside India, and provides for penalties regarding data breaches. The bill is supposed to outline the rights and duties of ‘digital nagriks’ or citizens while laying out the process and rules for data collection when it comes to companies.
The draft proposes to set up a Data Protection Board of India, which will carry on functions as per the provisions of the bill. The Data Protection Board can impose a penalty of up to ₹500 crore if non-compliance is found to be significant. The Bill proposes six types of penalties for non-compliance, including up to ₹250 crore for failure to take reasonable security safeguards, up to ₹200 crore for failure to notify the Board and affected users in the event of a personal data breach, and up to ₹200 crore for non-fulfilment of additional obligations related to children.
The draft personal data protection bill in 2019 proposed a penalty of ₹15 crore or 4 per cent of the global turnover of an entity. The new draft has proposed a graded penalty system for Data Fiduciary that will process the personal data of data owners only in accordance with the provisions of the Act. The same set of penalties will be applicable to the Data Processor, which will be an entity that will process data on behalf of the Data Fiduciary. The draft proposes a penalty of up to ₹250 crore in case the Data Fiduciary or Data Processor fails to protect against personal data breaches in its possession or under its control.
According to an explanatory note for the bill, it is based on seven principles. The first and one of the most critical principles of the proposed Bill is that usage of personal data by organizations must be done in a manner that is lawful, fair to the individuals concerned and transparent. The second principle of purpose limitation is that the personal data is used for the purposes for which it was collected. The third principle of data minimization is that only those items of personal data required for attaining a specific purpose must be collected. Among others, personal data should be limited to such duration as is necessary for the stated purpose for which personal data was collected and reasonable safeguards to ensure that there is no unauthorized collection or processing of personal data are some features.
The draft is open for public comment till December 17.