The government on Friday proposed a new data privacy law that allows the transfer and storage of personal data in some countries while raising the penalty for violations.
The draft Digital Personal Data Protection (DPDP) Bill 2022 will be a great relief for Google, Amazon, Facebook and other global firms as it replaces an earlier version that had alarmed big tech companies over its stringent restrictions on cross-border data flows.
The government will “notify such countries or territories outside India to which a data fiduciary may transfer personal data”, according to the draft unveiled on Friday for public feedback.
The new draft will become law once Parliament approves it.
The proposed legislation stipulates consent before collecting personal data and provides for stiff penalties of as much as Rs. 500 crore on persons and companies that fail to prevent data breaches including accidental disclosures, sharing, altering or destroying personal data.
Companies are allowed to store the collected data for only specified periods.
The draft also gives powers to the central government to exempt state agencies from provisions of the bill “in the interests of sovereignty and integrity of India” and to maintain public order.
With more than 750 million internet users and the second-largest home for mobile phones, India is a big and growing market for tech giants but the previous privacy rules had riled them.
The draft bill covers personal data collected online and digitised offline data. It will also apply to the processing of personal data abroad if such data involves profiling Indian users or selling services to them.
“The 2022 DPDP Bill has simplified the proposed data protection regime and done away with some contentious clauses which caused industry pushback in earlier versions. Particularly, data mirroring, data localisation requirements, and overall compliances appear to be limited compared to the previous Bill,” said Rupinder Malik, Partner at law firm JSA.
The legislative intent, he said, appears to be tech and IT business-friendly, focused on facilitating cross-border data flows. “Some aspects that have been watered down could potentially reduce overall protection accorded to individual privacy rights. The positive bit is that the Bill has been drafted in a simpler manner, with less ambiguities.” The new draft legislation comes in place of the Data Protection Bill, which was withdrawn by the government in August this year. The draft is open for public comment till December 17.
The draft bill requires the setting up of a ‘Data Protection Board’ to ensure compliance. The board will also hear user complaints.
It requires firms such as Google and Facebook to be accountable to a ‘consent manager’ to provide an “accessible, transparent and inter-operable platform” to give, manage, review and withdraw consent.
Users shall have the right to correct and erase their personal data.
While the personal data of children cannot be obtained or processed without parental consent, the draft law provides that advertising cannot target children.
Companies of ‘significant’ size — based on factors such as the volume of data they process — would be required to appoint an independent data auditor to evaluate compliance with provisions of the law.
The provision in the previous version that gave the government powers to ask a company to provide anonymised personal data and non-personal data to help target the delivery of services or formulate policies, is not there in the new draft.
The new draft raises penalty amount to up to Rs. 500 crore for violating provisions. The draft personal data protection bill, issued in 2019, had proposed a penalty of Rs. 15 crore or 4 percent of the global turnover of an entity, whichever is higher.
“The purpose of this Bill is to provide for the processing of digital personal data in a manner that recognises the right of individuals to protect their personal data, the need to process personal data for lawful purposes and for other incidental purposes,” an explanatory note of the draft bill said.
The draft proposes to set up a Data Protection Board of India, which will carry on functions as per the provisions of the bill.
“If the Board determines at the conclusion of an inquiry that non-compliance by a person is significant, it may, after giving the person a reasonable opportunity of being heard, impose such a financial penalty as specified in Schedule 1, not exceeding rupees five hundred crore in each instance,” the draft said.
It has proposed a graded penalty system for Data Fiduciaries and Data Processors in case of any violation under the proposed legislation.
Data Fiduciaries are those entities which will process personal data, either by themselves or with the help of Data Processors.
The draft has proposed a penalty of up to Rs. 250 crore in case the Data Fiduciary or Data Processor fails to protect against personal data breaches in its possession or under its control.
The draft has also proposed a penalty of up to Rs. 200 crore in case the Data Fiduciary or Data Processor fails to inform the Board and data owner about the data breach.
Besides, the bill proposes to impose a penalty of Rs. 10,000 on individuals providing unverifiable or false information while applying for any document, service, proof of identity or address etc and for registering a false or frivolous complaint with a Data Fiduciary or the Board.
The bill has a provision to allow entities to transfer the personal data of a citizen outside the country in cases where the processing of personal data is necessary for enforcing any legal right or claim, the performance of any judicial or quasi-judicial function, investigation or prosecution of any offence or if the data owner is not within the territory of India and has entered into any contract with any person outside the country.
“The Central Government may, after an assessment of such factors as it may consider necessary, notify such countries or territories outside India to which a Data Fiduciary may transfer personal data,” according to the draft.
The explanatory note issued by the Ministry of Electronics and IT listed seven principles on which the bill is based.
These include the usage of personal data by organisations being done in a manner that is lawful, transparent, and fair to the individuals concerned and the personal data is used for the purposes for which it was collected.
The draft also has a provision to ensure that only those items of personal data required for attaining a specific purpose must be collected and it must be stored perpetually by default.
“The Digital Personal Data Protection Bill is a legislation that frames out the rights and duties of the citizen (Digital Nagrik) on one hand and the obligations to use collected data lawfully of the Data Fiduciary on the other hand,” the explanatory note said.
Comments on the draft bill can be submitted till December 17.