Digital Personal Data Protection Bill: New draft privacy law eases cross-border flow of data, hikes penalties for breach

 EASING cross-border data flows, hiking penalties for data breaches and non-compliance, allowing the government to exempt state agencies from the law in the interest of national security: these are among the key provisions of the revamped data protection Bill released by the Ministry of Electronics and IT (MeitY) Friday.

Digital Personal Data Protection Bill: New draft privacy law eases cross-border flow of data, hikes penalties for breach

The draft was out three months after the Government withdrew an earlier version that had triggered a pushback from Big Tech and sections of the civil society. The new draft, now called the Digital Personal Data Protection Bill, 2022, has provisions on “purpose limitations” around data collection; specified grounds for collecting and processing of personal data; penalties ranging from Rs 50 crore to Rs 500 crore and a Data Protection Board as the adjudicating body to enforce the provisions of the Bill.

The draft is up for public consultation until December 17 and the final version is expected to be tabled in the Budget session of Parliament next year. The new Bill had 30 provisions while the previous one had more than 90. The revamped Bill, however, has left a number of crucial details on its provisions to be made in subsequent rules.

The new draft offers significant concessions on cross-border data flows, in a departure from the previous Bill’s contentious requirement of local storage of data within India’s geography. According to the new draft, the Centre will notify regions to which data of Indians can be transferred.

Sources said the conditions for selecting such regions would be based on their data security landscape and if the government can access data of Indians from there. The Indian Express had, on August 14, reported that the new Bill would relax data localisation requirements and allow data flows to trusted geographies.

Under the previous Bill, businesses were supposed to store a copy of certain “sensitive personal data” of citizens like health and financial data within India, and the export of undefined “critical” personal data from the country was prohibited. It was among the biggest issues flagged by technology companies, with firms like Meta having said that it could have an impact on its services in India.

“The Bill offers a relatively soft stand on data localisation requirements and permits data transfer to select global destinations based on some predefined assessments. This is likely to foster country-to-country trade agreements, make it relatively easier for global enterprises to operate and process data with their current set-up rather than mandatorily developing large infrastructure in India for storing and processing of personal data,” said Manish Sehgal, partner at Deloitte India.

The Bill also proposes to set up a Data Protection Board to ensure compliance with the Bill. While it does not include details about the composition of the board, the draft said it will be “digital by design”.

Companies will be required to stop retaining user data if it no longer serves the business purpose for which it was collected, and users will have the right to correction and erasure of their personal data in possession of  businesses.

Businesses of "significant" size -- based on factors such as the volume of data they process – should, as per the draft, appoint a Data Protection Officer and an independent data auditor to evaluate compliance with provisions of the law. Companies should not process personal data that is "likely to cause harm" to children and cannot run targeted advertising on children -- an individual less than 18 years of age.

National security-related exemptions, similar to the previous 2019 version, have been kept intact. The Centre has been empowered to exempt its agencies from adhering to provisions of the Bill in the interest of sovereignty and integrity of India, security of the state, friendly relations with foreign states, maintenance of public order or preventing incitement to any cognisable offence.

The government could also exempt certain businesses from adhering to provisions of the Bill on the basis of number of users and the volume of personal data processed by the entity. This has been done keeping in mind the start-up ecosystem of the country, which had complained that the previous version of the Bill was too “compliance intensive”. On Thursday (November 17), The Indian Express had reported about exemptions to start-ups under the new Bill.

The draft also proposes to impose significant penalties on businesses that have data breaches or fail to notify users when breaches happen. Entities that fail to take “reasonable security safeguards”  to prevent personal data breaches will be fined as high as Rs 250 crore.

If an entity fails to notify users and the Data Protection Board about a data breach, the fine could go as high as Rs 200 crore. A similar penalty would be imposed if entities fail to safeguard children’s privacy. The maximum penalty that could be imposed on an entity has been capped at Rs 500 crore, per instance of violation.

Notably, the Bill also prescribes penalties for users. It says that if a user submits false documents while signing up for an online service, or files frivolous grievance complaints, the user could be fined up to Rs 10,000.